Troubleshoot GKE Ingress

---

This page shows you how to resolve issues relating to Ingress in Google Kubernetes Engine (GKE).

If you need additional assistance, reach out to Cloud Customer Care.

Incorrect annotation for the Ingress class

Symptom

When you create an Ingress, you might see the following error:

Missing one or more resources. If resource creation takes longer than expected, you might have an invalid configuration.

Potential causes

When creating the Ingress, you might have incorrectly configured the Ingress class in the manifest.

Resolution

To specify an Ingress class, you must use the kubernetes.io/ingress.class annotation. You cannot specify a GKE Ingress using spec.ingressClassName.

• To deploy an internal Application Load Balancer, use the kubernetes.io/ingress.class: gce-internal annotation.
• To deploy an external Application Load Balancer, use the kubernetes.io/ingress.class: gce annotation.

Incorrect annotation for the static IP address

Symptom

When you configure an external Ingress to use a static IP address, you might see the following error:

Error syncing to GCP: error running load balancer syncing routine: loadbalancer <Name of load balancer> does not exist: the given static IP name <Static IP> doesn't translate to an existing static IP.

Potential causes

• You didn't create a static external IP address before you deployed the Ingress.
• You're not using the correct annotation for your type of Load Balancer.

Resolution

If you're configuring an external Ingress:

• Reserve a static external IP address before you deploy the Ingress.
• Use the annotation kubernetes.io/ingress.global-static-ip-name on your Ingress resource.

If you're configuring an internal Ingress:

• Reserve a regional static internal IP address before you deploy the Ingress.
• Use the annotation kubernetes.io/ingress.regional-static-ip-name on your Ingress resource.

Static IP address is already in use

Symptom

You might see the following error when you specify a static IP address to provision your internal or external Ingress resource:

Error syncing to GCP: error running load balancer syncing
routine: loadbalancer <LB name> does not exist:
googleapi: Error 409: IP_IN_USE_BY_ANOTHER_RESOURCE - IP ''<IP address>'' is already being used by another resource.

Potential causes

The static IP address is already being used by another resource.

Error when disabling HTTP and using a Google-managed certificate

Symptom

If you are configuring a Google-managed SSL certificate and disabling HTTP traffic on your Ingress, you see the following error:

Error syncing to GCP: error running load balancer syncing
routine: loadbalancer <Load Balancer name> does not exist:
googleapi: Error 404: The resource ''projects/<Project>/global/sslPolicies/<Policy name>' was not found, notFound

Potential causes

You can't use the following annotations together when you configure the Ingress:

• networking.gke.io/managed-certificates (for associating the Google-managed certificate to an Ingress)
• kubernetes.io/ingress.allow-http: false (for disabling HTTP traffic)

Resolution

Disable HTTP traffic only after the external Application Load Balancer is fully programmed. You can update the Ingress and add the annotation kubernetes.io/ingress.allow-http: false to the manifest.

Proxy-only subnet is missing for an internal Ingress

Symptom

When you deploy an Ingress for an internal Application Load Balancer, you might see the following error:

Error syncing to GCP: error running load balancer syncing routine:
loadbalancer <LB name> does not exist: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/<Project ID>/regions/<Region>/targetHttpsProxies/<Target proxy>'.
An active proxy-only subnetwork is required in the same region and VPC as
the forwarding rule.

Potential causes

You didn't create a proxy-only subnet before you created the Ingress resource. A proxy-only subnet is required for internal Application Load Balancers.

Resolution

Create a proxy-only subnet before you deploy the internal Ingress.

SSL certificate key is too large

Symptom

If the key size of the SSL certificate of your load balancer is too large, you might see the following error:

Error syncing to GCP: error running load balancer syncing routine: loadbalancer gky76k70-load-test-trillian-api-ingress-fliismmb does not exist: Cert creation failures - k8s2-cr-gky76k70-znz6o1pfu3tfrguy-f9be3a4abbe573f7 Error:googleapi: Error 400: The SSL key is too large., sslCertificateKeyTooLarge

Potential causes

Google Cloud has a limit of 2,048 bits for SSL certificate keys.

Resolution

Reduce the size of the SSL certificate key to 2,048 bits or fewer.

Error creating an Ingress in Standard Tier

Symptom

If you are deploying an Ingress in a project with the project default network tier set to Standard, the following error message appears:

Error syncing to GCP: error running load balancer syncing routine: load balancer <LB Name> does not exist: googleapi: Error 400: STANDARD network tier (the project''s default network tier) is not supported: STANDARD network tier is not supported for global forwarding rule., badRequest

Resolution

Configure the project default network tier to Premium.