How to Debug 502 Errors in Kubernetes Ingress: Logging and Troubleshooting Guide for GCP


1 views

When dealing with Ingress controller issues on GCP, it's crucial to understand that Ingress logs are typically handled by the controller implementation you're using. For GKE deployments, this usually means either:

  • GCE Ingress (the default)
  • NGINX Ingress Controller
  • Other third-party controllers

For the native GCE Ingress controller, logs can be accessed through Cloud Logging with these commands:

# Filter logs for your specific ingress
gcloud logging read "resource.type=\"http_load_balancer\" AND resource.labels.url_map_name=\"YOUR_INGRESS_NAME\"" --format json

# General ingress controller logs
gcloud logging read "resource.type=\"gce_instance\" AND logName=\"projects/YOUR_PROJECT/logs/container.googleapis.com%2Fingress\""

If you're using NGINX Ingress, access logs differently:

# Check NGINX controller pod logs
kubectl logs -n ingress-nginx $(kubectl get pods -n ingress-nginx | grep controller | awk '{print $1}')

# Enable debug logging (add to your deployment)
args:
  - --v=5
  - --configmap=$(POD_NAMESPACE)/nginx-configuration

Based on my experience, these are frequent causes:

  • Backend service not ready (check readiness probes)
  • Health check misconfiguration
  • Firewall rules blocking traffic
  • Certificate issues (for HTTPS)
  • Annotation misconfiguration

Here's my typical troubleshooting workflow:

# 1. Verify ingress resource details
kubectl describe ingress YOUR_INGRESS_NAME

# 2. Check backend services
kubectl get endpoints SERVICE_NAME

# 3. Verify health checks in GCP Console > Network Services > Load Balancing

A frequent mistake is incorrect backend protocol annotation:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.class: "gce"
    cloud.google.com/backend-config: '{"ports": {"80":"my-backend-config"}}'
    cloud.google.com/neg: '{"ingress": true}'
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: my-service
            port:
              number: 80
  • Use kubectl get events --sort-by=.metadata.creationTimestamp to see cluster-wide events
  • Enable GCP's operations suite for detailed monitoring
  • Consider temporary external debugging with curl -v requests

When working with Kubernetes Ingress on GCP, a 502 error typically indicates that your ingress controller cannot properly route traffic to backend services. Unlike standard service debugging, ingress controllers require specific logging approaches since they operate at layer 7.

For GKE clusters, use these commands to inspect ingress controller logs:

# View ingress controller pod names
kubectl get pods -n ingress-gke

# Stream logs from the specific ingress controller pod
kubectl logs -n ingress-gke [INGRESS_POD_NAME] --follow

# Check for errors in the ingress resource events
kubectl describe ingress [INGRESS_NAME]

GKE's managed ingress uses Google Cloud components that require additional logging methods:

# View load balancer backend services
gcloud compute backend-services list

# Check health status of backends
gcloud compute backend-services get-health [BACKEND_SERVICE_NAME] \
    --project=[PROJECT_ID] \
    --region=[REGION]

The most frequent causes of 502 errors include:

  • Backend service health checks failing (check timeout values)
  • Misaligned service ports between ingress and deployment
  • Missing or incorrect annotations like:
annotations:
  kubernetes.io/ingress.class: "gce"
  networking.gke.io/managed-certificates: "cert-name"

Here's a complete workflow I recently used to diagnose a 502 error:

# First verify the ingress resource
kubectl get ingress my-app-ingress -o yaml

# Then check the associated service
kubectl get svc my-app-service -o yaml

# Verify pod readiness
kubectl get endpoints my-app-service

# Finally check Cloud Logging with advanced filters
gcloud logging read \
  'resource.type="gce_backend_service" AND severity>=WARNING' \
  --project=[PROJECT_ID] --limit=50

For ongoing visibility, configure these GCP monitoring alerts:

  • Backend latency > 500ms
  • 5xx error rate > 1%
  • Unhealthy backends > 0

Create a custom dashboard with these key metrics:

# Cloud Monitoring MQL example
fetch gce_backend_service
| metric 'loadbalancing.googleapis.com/https/backend_latencies'
| align rate(1m)
| every 1m