policy manager has session error when connecting to API gateway on Kubernetes
Article ID: 143501
Updated On:
Products
Issue/Introduction
The policy manager has no problem connecting to gateway pod if only deploy one gateway pod, but when the replicas is 2 or more, the policy manager fails with error,
“Gateway Inactivity Session Timeout has been reached”
Environment
container gateway
Cause
After policy manager login the gateway, the session info is stored locally in the memory of the gateway node/pod, ie. the session info is not cluster wide.
When the kubernetes proxy route the policy manager traffic to another gateway pod, the gateway pod rejects the request as it has no matching session info.
Resolution
There could be a few options, such as kubectl port-forward to a specified pod, but a better option should be expose one more service (for policy manager) with session affinity, for example, (assume that the name of the gateway deployment is gw-dc)
kubectl expose deployment gw-dc --type=NodePort --session-affinity=ClientIP --name=pm-svc
Then run command,
kubectl get svc
it will show the new service pm-svc, use that for policy manager connection.
Alternately, you can configure it in yaml file, for example, ( gw-svc-ex is for normal API calls, pm-gw-svc-ex is for policy manager access)
---
apiVersion: v1
kind: Service
metadata:
name: gw-svc-ex
annotations:
description: "Gateway service for external access"
spec:
selector:
app: gw
type: NodePort
ports:
- protocol: TCP
port: 8080
targetPort: 8080
nodePort: 8080
name: gw-http-port
- protocol: TCP
port: 8443
targetPort: 8443
nodePort: 8443
name: gw-https-port
---
apiVersion: v1
kind: Service
metadata:
name: pm-gw-svc-ex
annotations:
description: "Gateway service for policy manager"
spec:
selector:
app: gw
type: NodePort
ports:
- protocol: TCP
port: 9443
targetPort: 9443
nodePort: 9443
name: gw-pm-port
sessionAffinity: ClientIP
Feedback
