Introduction When a Kubernetes Ingress returns 503, it means the ingress controller cannot route traffic to a healthy backend service. This could be due to missing service, wrong port, or no endpoints.

Symptoms - HTTP 503 from the ingress URL - Ingress controller logs: "no healthy upstream" or "upstream connect error" - Ingress resource exists but traffic does not reach pods - TLS connections fail with certificate errors - Specific paths return 503 while others work

Common Causes - Backend service does not exist or has no endpoints - Service port number in Ingress does not match service definition - Ingress class not matching any controller - TLS secret missing or expired - Ingress controller itself unhealthy

Step-by-Step Fix 1. **Verify ingress configuration**: ```bash kubectl get ingress <ingress-name> -n <namespace> -o yaml kubectl describe ingress <ingress-name> -n <namespace> ```

  1. 1.Check backend service and endpoints:
  2. 2.```bash
  3. 3.kubectl get svc <backend-service> -n <namespace>
  4. 4.kubectl get endpoints <backend-service> -n <namespace>
  5. 5.`
  6. 6.Check ingress controller logs:
  7. 7.```bash
  8. 8.kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=100
  9. 9.`
  10. 10.Look for: "upstream server temporarily disabled" or "no endpoints".
  11. 11.Verify ingress class:
  12. 12.```bash
  13. 13.kubectl get ingressclass
  14. 14.kubectl get ingress <name> -o jsonpath='{.spec.ingressClassName}'
  15. 15.`
  16. 16.Check TLS secret:
  17. 17.```bash
  18. 18.kubectl get secret <tls-secret> -n <namespace>
  19. 19.kubectl describe secret <tls-secret> -n <namespace>
  20. 20.`

Prevention - Validate ingress resources with kubeval before applying - Use ingress-nginx admission webhook for validation - Monitor ingress controller metrics (request rate, 5xx rate) - Set up external health checks for ingress endpoints - Use cert-manager for automated TLS certificate management