I have the following ingress setup:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: owl-dev-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: zzapps-owl-dev-ip
    networking.gke.io/managed-certificates: managed-cert
    kubernetes.io/ingress.class: 'gce'
spec:
  rules:
    - host: owl-dev.zzapps.nl
      http:
        paths:
          - path: /api
            pathType: Prefix
            backend:
              service:
                name: zzapps-owl-dev-webapi-service
                port:
                  number: 80
          - path: /
            pathType: Prefix
            backend:
              service:
                name: zzapps-owl-dev-webui-service
                port:
                  number: 3000
  

It exposes 2 services: if the url is called with /api it forwards to the API backend deployment on port 80, if it goes to /* it forwards to the UI pod serving the webpage.

The / works fine, except that the Ingress shows

And yes, the backend service is unhealthy for the api (on 80):

When I check the healthcheck itself:

It is configured on /api. This is what the backend is expecting as well. When I expose the backend through the gcloud shell and forward it, I can reach /api fine (localhost:8080/api) (it gives a swagger page, with a 200 result, I think that is okay?)

gcloud container clusters get-credentials xxx-xxx-xxx-2 --zone europe-west4-a --project xxx-xxx-xxx \
>  && kubectl port-forward $(kubectl get pod --selector="app=zzapps-owl-dev-web-api" --output jsonpath='{.items[0].metadata.name}') 8080:80
Fetching cluster endpoint and auth data.
kubeconfig entry generated for xxx-xxx-xxx-2.


To take a quick anonymous survey, run:
  $ gcloud survey

Forwarding from 127.0.0.1:8080 -> 80
Forwarding from [::1]:8080 -> 80
Handling connection for 8080

Long story short: It is unclear why the healthcheck is not able to verify connection.