Troubleshooting Pod-to-service Communication in k8s: The Proxy Trap

Muskan AgrawalMuskan Agrawal
2 min read

Life as a DevOps engineer gets interesting when a “simple” microservice-to-microservice call in Kubernetes…just refuses to work.

Recently, I ran into a problem you might recognize if you work with microservices on k8s. Two microservices, both running in a namespace called app, just wouldn’t talk to each other via a Kubernetes ClusterIP Service. Logging into one application pod, I kept seeing errors like:

tcp 172.20.186.216:3939: connect: connection refused
time="2024-01-31T06:33:01.618Z" level=error msg="http: proxy error: dial tcp 172.20.186.216:3939: connect: connection refused"
192.168.208.226 - - [31/Jan/2024:06:32:58 +0000] "GET /content/abcd/ HTTP/1.1" 502 0
time="2024-01-31T06:33:01.619Z" level=info msg="Connected to session server [http://service-a.app:50734/](http://service-a.app:50734/)"

The Usual Suspects: Ping and Service Connectivity

First steps in troubleshooting? Ping the pod, then ping the service IP. Strangely, both worked!
Next, I checked environment variables for proxy settings:

env | grep -i proxy

Everything looked fine:

no_proxy=192.168.0.0/16,172.20.0.0/16,.mydomain.com,localhost,127.0.0.1

So it should’ve excluded both the pod and service addresses from proxying. Or so I thought.

The Clever Culprit: DNS Name and Proxy

I ran a curl command inside the pod:

curl -ivk http://<servicename.namespace:port>

And noticed—the container was still routing the request through the proxy!
Why? Here’s the trick: The application was connecting to the service using its DNS name (servicename.namespace), not its ClusterIP.

The NO_PROXY variable only contained the raw IP network CIDR ranges, not the DNS domain used by services within the namespace.

The Solution: Update NO_PROXY for Your Namespace

What finally did the trick? Adding .app (the namespace as a DNS suffix) to NO_PROXY made everything work.

Example pod spec with the correct environment:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  namespace: app
spec:
  containers:
  - name: mycontainer
    image: myimage:latest
    env:
      - name: HTTP_PROXY
        value: http://proxy.corp.domain:8080
      - name: HTTPS_PROXY
        value: https://secureproxy.corp.domain:8080
      - name: NO_PROXY
        value: 192.168.0.0/16,172.20.0.0/16,*.mydomain.com,localhost,127.0.0.1,*.app

With *.app in NO_PROXY, Kubernetes service DNS calls are excluded from proxy interception—and the services communicate as intended.

Key Takeaways

  • Always add your namespace (and/or service domain suffix) to NO_PROXY when using proxies in Kubernetes pods.

  • Proxy variables prevent endless debugging of mysterious 502s and connection refused errors.

  • Don’t just rely on IP/CIDR in NO_PROXY; DNS-based service names need coverage too.

0
Subscribe to my newsletter

Read articles from Muskan Agrawal directly inside your inbox. Subscribe to the newsletter, and don't miss out.

k8scommunicationtroubleshootingproxy

Written by

Muskan Agrawal
Muskan Agrawal

Cloud and DevOps professional with a passion for automation, containers, and cloud-native practices, committed to sharing lessons from the trenches while always seeking new challenges. Combining hands-on expertise with an open mind, I write to demystify the complexities of DevOps and grow alongside the tech community.