Skip to content

KIC didn't sync the rules when gateway pod restart #7685

New issue
New issue
Open
Open
KIC didn't sync the rules when gateway pod restart#7685
Labels
bugSomething isn't working
@rookie-fpc

Description

@rookie-fpc
rookie-fpc
opened on Aug 14, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

kic helm config is below:

  enabled: true
  image:
    repository: harbor.onlineops.lenovo.com/onlineops/kong-ingress-controller
    tag: "3.4.3"
    # Optionally set a semantic version for version-gated features. This can normally
    # be left unset. You only need to set this if your tag is not a semver string,
    # such as when you are using a "next" tag. Set this to the effective semantic
    # version of your tag: for example if using a "next" image for an unreleased 3.1.0
    # version, set this to "3.1.0".
    effectiveSemver:
  args: []

  gatewayDiscovery:
    enabled: false
    generateAdminApiService: false
    adminApiService:
      namespace: ""
      name: ""

  # Specify individual namespaces to watch for ingress configuration. By default,
  # when no namespaces are set, the controller watches all namespaces and uses a
  # ClusterRole to grant access to Kubernetes resources. When you list specific
  # namespaces, the controller will watch those namespaces only and will create
  # namespaced-scoped Roles for each of them. The controller will still use a
  # ClusterRole for cluster-scoped resources.
  # Requires controller 2.0.0 or newer.
  watchNamespaces: []

  # Specify Kong Ingress Controller configuration via environment variables
  env:
    # The controller disables TLS verification by default because Kong
    # generates self-signed certificates by default. Set this to false once you
    # have installed CA-signed certificates.
    kong_admin_tls_skip_verify: true
    dump_config: "true"
    dump_sensitive_config: "true"
    log_format: "json"
    kong_admin_url:  http://kong-gateway-admin:8001
    # If using Kong Enterprise with RBAC enabled, uncomment the section below
    # and specify the secret/key containing your admin token.
    # kong_admin_token:
    #   valueFrom:
    #     secretKeyRef:
    #        name: CHANGEME-admin-token-secret
    #        key: CHANGEME-admin-token-key

  # This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix.
  # Example as below, uncomment if required and add additional attributes as required.
  # customEnv:
  #   TZ: "Europe/Berlin"

  # Load all ConfigMap or Secret keys as environment variables:
  # https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
  envFrom: []

  admissionWebhook:
    matchPolicy: Equivalent
    enabled: true
    # Limit the `secrets.plugins.validation.ingress-controller.konghq.com` webhook
    # to only Secrets with the appropriate KIC "konghq.com/validate" label.
    filterSecrets: false
    failurePolicy: Ignore
    port: 8080
    certificate:
      provided: false
    #  namespaceSelector specifies namespaces in which the resources are validated by the `*.validations.kong.konghq.com` webhooks.
    #  For example, the `kube-system` namespace contains objects created by the Kubernetes system, like `kube-dns` service.
    #  You can exclude the kube-system namespace from being intercepted using below namespaceSelector:
    #  namespaceSelector:
    #    matchExpressions:
    #      - key: kubernetes.io/metadata.name
    #        operator: NotIn
    #        values:
    #          - kube-system
    namespaceSelector: {}
    # ObjectSelector specifies which objects to match against validations.kong.konghq.com webhook webhook
    objectSelector:
      matchExpressions:
      - key: owner
        operator: NotIn
        values:
        - helm
    # Specifiy the secretName when the certificate is provided via a TLS secret
    # secretName: ""
    # Specifiy the CA bundle of the provided certificate.
    # This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
    # caBundle:
    #   | Add the CA bundle content here.
    service:
      # Specify custom labels for the validation webhook service.
      labels: {}
    # Tune the default Kubernetes timeoutSeconds of 10 seconds
    # timeoutSeconds: 10

  ingressClass: kong
  # annotations for IngressClass resource (Kubernetes 1.18+)
  ingressClassAnnotations: {}

  ## Define any volumes and mounts you want present in the ingress controller container
  ## Volumes are defined above in deployment.userDefinedVolumes
  # userDefinedVolumeMounts:
  # - name: "volumeName"
  #   mountPath: "/opt/user/dir/mount"

  rbac:
    create: true
    enableClusterRoles: true

  livenessProbe:
    httpGet:
      path: "/healthz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 5
    timeoutSeconds: 5
    periodSeconds: 10
    successThreshold: 1
    failureThreshold: 3
  readinessProbe:
    httpGet:
      path: "/readyz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 5
    timeoutSeconds: 5
    periodSeconds: 10
    successThreshold: 1
    failureThreshold: 3
  resources: {}

  konnect:
    enabled: false
    # Deprecated: Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
    runtimeGroupID: ""
    # Specifies a Konnect Control Plane's ID that the controller will push its data-plane config to.
    controlPlaneID: ""

    # Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
    # By default, this is set to US region's production API hostname.
    # If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
    apiHostname: "us.kic.api.konghq.com"

    # Specifies a secret that contains a client TLS certificate that the controller
    # will use to authenticate against Konnect APIs.
    tlsClientCertSecretName: "konnect-client-tls"

    license:
      # Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
      enabled: false

  adminApi:
    tls:
      client:
        # Enable TLS client authentication for the Admin API.
        enabled: false

        # If set to false, Helm will generate certificates for you.
        # If set to true, you are expected to provide your own secret (see secretName, caSecretName).
        certProvided: false

        # Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
        # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
        # a specific secret name).
        secretName: ""

        # CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
        # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
        # a specific secret name).
        caSecretName: "" ```
--------

### Expected Behavior

```shell
KIC should sync the rules when kong gateway pod restart

Steps To Reproduce

1. delete one pod of kong gateway
2. Bind hosts on the computer
3. check the rule is effect

Kong Ingress Controller version

3.4

Kubernetes version

1.26

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions