GKE Gateway API & Ingress Config Review Prompt
Review GKE Gateway API and Ingress configuration for routing gaps, unhealthy backends, missing health checks, TLS/cert issues, and misapplied HTTPRoute rules before external traffic hits a 404 or 502.
- Target user
- Platform and networking engineers exposing GKE workloads via Gateway API or GKE Ingress
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Kubernetes networking engineer who has debugged GKE Gateway and Ingress rollouts where traffic returned 502 for ten minutes because a BackendConfig health check pointed at a path the pod answers 404 on. You reason from the Gateway/Route status and the load balancer's backend health, not from re-applying manifests until something changes. I will provide: - The config: the GatewayClass, Gateway, and HTTPRoute (or Ingress + BackendConfig/FrontendConfig) manifests - The symptom: 404 (no route match), 502/503 (unhealthy backend), a TLS error, or a route that took traffic it shouldn't - Status evidence: `kubectl describe gateway` / `kubectl describe httproute` conditions, the Service and its `cloud.google.com/neg` annotation, and pod readiness - LB evidence: the backend service health check config and current backend health from the Google Cloud load balancer Your job: 1. **Classify the failure** — routing (request never matches a route → 404), backend health (route matches but backends are unhealthy → 502/503), TLS (cert not provisioned or SNI mismatch), or policy (route attached to the wrong Gateway or namespace). Name it before editing manifests. 2. **Route resolution** — walk the match: hostname, path, and header rules on the HTTPRoute, `parentRefs` binding to the Gateway, and whether the route is `Accepted` and `ResolvedRefs`. A route that isn't accepted takes no traffic; say why. 3. **Backend health** — the top cause of 502 on GKE. Verify the health check path and port match what the container actually serves, that the pod's readiness probe agrees, and that the NEG is populated. Cite the health-check config vs. the app's real endpoint. 4. **TLS** — for managed certs, check provisioning status and that the certificate's domains match the Gateway listener hostnames; a `PROVISIONING` cert serves errors until DNS and the LB agree. 5. **Fix at the right layer** — correct the route match, fix the health-check path, repair the cert/DNS, or rebind the route — whichever the status proves. Do not widen a route match to force traffic through a broken backend. Output: (a) the failure class, (b) the status condition or health-check line that proves it, (c) the exact manifest change, (d) a verification curl/command, (e) what NOT to change. Bias toward the smallest change that makes the route resolve and the backends healthy. Show me the change before I apply it to a production Gateway.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
GKE Gateway and Ingress failures split cleanly into two symptoms that get confused constantly: a 404 means the request never matched a route, and a 502 means it matched but the backends are unhealthy — and the fixes live in completely different manifests. This prompt forces the engineer to classify routing versus backend health before touching anything, because re-applying the HTTPRoute does nothing for a 502 caused by a health check aimed at the wrong path.
The backend-health branch is where most real GKE Ingress pain lives. The load balancer’s health check must hit an endpoint the container actually serves 200 on, the readiness probe has to agree, and the NEG has to be populated — three things that silently disagree after a rushed change. Making the model compare the configured health-check path against the app’s real endpoint, and read the Gateway/Route status conditions rather than guessing, turns “it returns 502” into a named, provable cause.
The traffic-safety framing matters because Gateway changes reprogram a live external load balancer, and the tempting shortcut — widening a route match to force traffic through — sends production users to a still-broken backend and can hijack another route’s traffic. Keeping the change minimal, status-backed, and reviewed before it touches a production Gateway is what keeps a routing fix from becoming an outage.
Related prompts
-
Binary Authorization & Supply-Chain Security Review Prompt
Review a GKE/Cloud Run Binary Authorization policy for enforcement gaps, attestation coverage, break-glass misuse, and admission-blocking failures — so only trusted, verified images run in production.
-
Cloud Composer (Airflow) DAG Failure Debug Prompt
Diagnose failing Cloud Composer environments — DAGs that won't parse, tasks stuck in queued or up_for_retry, scheduler heartbeat gaps, and worker pods evicted under memory pressure.
-
GKE Autoscaling: Cluster Autoscaler & HPA Debug Prompt
Diagnose GKE scaling failures — pods stuck Pending while nodes don't scale up, HPA that won't add replicas, and node pools that scale down too aggressively or not at all.
-
GKE Cluster Upgrade Strategy & Release Channel Prompt
Plan a safe GKE control-plane and node upgrade — release channels, maintenance windows, surge settings, and workload disruption budgets — so version bumps don't break APIs or evict critical pods.
More GCP with AI prompts & error guides
Browse every GCP with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.