# Debug Kubernetes 502 responses

Answer first: a 502 usually means the edge path is alive but the backend path is broken. Check ingress, service endpoints, pod readiness, and recent rollout events together.

## Problem

Users get HTTP 502 from a Kubernetes app even though DNS and the public load balancer are reachable.

## App workflow/query

```text
Clanker Cloud app:
1. Open Kubernetes or Overview.
2. Select context prod-eks and namespace checkout.
3. Ask:
Why is checkout returning 502 through ingress? Check ingress rules, service endpoints, pod readiness, recent events, and the last rollout in namespace checkout.
```

## Open-source CLI equivalent

```bash
clanker k8s health --context prod-eks -o json

# Same investigation prompt in the Clanker Cloud app:
Why is checkout returning 502 through ingress? Check ingress rules, service endpoints, pod readiness, recent events, and the last rollout in namespace checkout.
```

## Input context

Clanker Cloud app connected to the affected cluster, kubeconfig trusted locally, namespace checkout, ingress hostname, service name checkout-api, deployment name checkout-api, and the approximate time the 502 started.

## Output example

```text
Finding: ingress checkout.example.com routes /checkout to service checkout-api:8080, but the service has zero ready endpoints. Pods from rollout checkout-api-7f9c are NotReady because readiness probes fail on /healthz after DB_URL was changed in the last deploy. Suggested next step: roll back the deployment or restore the secret value, then re-check endpoints before touching ingress.
```

## Safety boundary

Read-only investigation. The app reads cluster state through the local runtime and the open-source CLI engine underneath it. No kubectl apply, delete, restart, or rollout command runs unless you create and approve a separate maker/action plan.

## Supported providers

Kubernetes, EKS, GKE, AKS, Cloudflare, AWS ALB.

## Next step

Open the reviewed plan only after the cause is clear: restore the missing secret, roll back the rollout, or fix readiness configuration and re-check endpoints.