Skip to content

NGF Pod fails to become ready due to nginx reload failure: "failed to send the HUP signal to NGINX main: operation not permitted" #1695

New issue
New issue
Open
Open
NGF Pod fails to become ready due to nginx reload failure: "failed to send the HUP signal to NGINX main: operation not permitted"#1695
Labels
backlogCurrently unprioritized work. May change with user feedback or as the product progresses.bugSomething isn't workinghelp wantedExtra attention is needed
@kate-osborn

Description

@kate-osborn
kate-osborn
opened on Mar 14, 2024

Describe the bug
In some environments, the NGINX Gateway Fabric fails to report as ready. The nginx-gateway logs report an error reloading NGINX:

{"level":"error","ts":"2024-03-12T02:21:19Z","logger":"eventLoop.eventHandler","msg":"Failed to update NGINX configuration","batchID":1,"error":"failed to reload NGINX: failed to send the HUP signal to NGINX main: operation not permitted"

This is due to the control plane now having the proper permissions to reload NGINX.

Workaround

To resolve this issue you will need to set allowPrivilegeEscalation to true.

If using Helm, you can set the nginxGateway.securityContext.allowPrivilegeEscalation value.
If using the manifests directly, you can update this field under the nginx-gateway container’s securityContext.

Open Questions

  • So far we have been unable to reproduce this issue on kind or any managed Kubernetes platform. How can we reproduce?
  • What is the root cause of this permissions issue? Is there a cluster setting that can be tweaked?

Related issues:

Metadata

Metadata

Assignees

No one assigned

    Labels

    backlogCurrently unprioritized work. May change with user feedback or as the product progresses.bugSomething isn't workinghelp wantedExtra attention is needed

    Type

    No type

    Projects

    NGINX Gateway Fabric

    Status

    🆕 New

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions