Tag: Kubernetes
Problems related to Kubernetes, such as pod failures, API errors, or scheduling issues
| ID | Title | Description | Category | Technology | Tags |
|---|---|---|---|---|---|
| prequel-2025-0001 Critical Impact: 7/10 Mitigation: 3/10 | Telepresence.io Traffic Manager Excessive Client-side Kubernetes API Throttling | One or more cluster components (kubectl sessions, operators, controllers, CI/CD jobs, etc.) hit the **default client-side rate-limiter in client-go** (QPS = 5, Burst = 10). The client logs messages such as `Waited for ‹N›s due to client-side throttling, not priority and fairness` and delays each request until a token is available. Although the API server itself may still have spare capacity, and Priority & Fairness queueing is not the bottleneck, end-user actions and controllers feel sluggish or appear to “stall”. | Kubernetes Problems | traffic-manager | KubernetesTelepresenceTraffic ManagerAPI Throttling |
| prequel-2025-0002 Medium Impact: 7/10 Mitigation: 3/10 | Envoy metrics scraping failure with unexpected EOF | Prometheus is failing to scrape and write Envoy metrics from Istio sidecars due to an unexpected EOF error. This occurs when trying to collect metrics from services that don't have proper protocol selection configured in their Kubernetes Service definition | Service Mesh Monitoring | prometheus | PrometheusIstioEnvoyMetricsService MeshKubernetes |
| prequel-2025-0010 High Impact: 8/10 Mitigation: 4/10 | Telepresence agent-injector certificate reload failure | Telepresence 2.5.x versions suffer from a critical TLS handshake error between the mutating webhook and the agent injector. When the certificate is rotated or regenerated, the agent-injector pod fails to reload the new certificate, causing all admission requests to fail with "remote error: tls: bad certificate". This effectively breaks the traffic manager's ability to inject the agent into workloads, preventing Telepresence from functioning properly. | Kubernetes Problems | traffic-manager | Known ProblemTelepresenceKubernetesCertificate |
| prequel-2025-0020 High Impact: 8/10 Mitigation: 2/10 | Too many replicas scheduled on the same node | 80% or more of a deployment's replica pods are scheduled on the same Kubernetes node. If this node shuts down or experiences a problem, the service will experience an outage. | Fault Tolerance Problems | dru | ReplicaKubernetes |
| prequel-2025-0027 Low Impact: 5/10 Mitigation: 2/10 | Ingress Nginx Prefix Wildcard Error | The NGINX Ingress Controller rejects an Ingress manifest whose `pathType: Prefix` value contains a wildcard (`*`). Log excerpt: ``` ingress: default/api prefix path shouldn't contain wildcards ``` When the controller refuses the rule, it omits it from the generated `nginx.conf`; clients receive **404 / 502** responses even though the manifest was accepted by the Kubernetes API server. The problem appears most often after upgrading to ingress-nginx ≥ 1.8, where stricter validation was added. | Ingress Problems | ingress-nginx | NginxIngressKubernetes |
| prequel-2025-0081 Medium Impact: 6/10 Mitigation: 4/10 | ArgoCD RawExtension API Field Error with Datadog Operator | ArgoCD application controller fails to process certain custom resources due to being unable to find API fields in struct RawExtension. This commonly affects users deploying Datadog Operator CRDs, resulting in application sync errors for these resources. | Continuous Delivery Problems | argocd | ArgoCDKubernetesCustom ResourceDatadog |
| prequel-2025-0087 Medium Impact: 7/10 Mitigation: 5/10 | Kyverno JMESPath query failure due to unknown key | Kyverno policies with JMESPath expressions are failing due to references to keys that don't exist in the target resources. This happens when policies attempt to access object properties that aren't present in the resources being validated, resulting in "Unknown key" errors during policy validation. | Policy Enforcement Issues | kyverno | KyvernoKubernetesPolicy Management |
| prequel-2025-0090 High Impact: 8/10 Mitigation: 5/10 | Karpenter version incompatible with Kubernetes version; Pods cannot be scheduled | Karpenter is unable to provision new nodes because the current Karpenter version is not compatible with Kubernetes version . This incompatibility causes validation errors in the nodeclass controller and prevents pods from being scheduled properly in the cluster. | Kubernetes Provisioning Problems | karpenter | AWSKarpenterKubernetes |
| prequel-2025-0093 Medium Impact: 8/10 Mitigation: 5/10 | aws-load-balancer-controller rejects Ingress resource with wildcard path and Prefix pathType | The aws-load-balancer-controller is unable to translate an Ingress resource into an AWS ALB Listener Rule when the path contains a wildcard (*) and the pathType is set to Prefix. | Kubernetes Networking Problems | aws-load-balancer-controller | KubernetesAWS Loadbalancer ControllerIngress ResourceAWSNetworkingConfigurationPath ValidationALBRouting |
| prequel-2025-0103 High Impact: 4/10 Mitigation: 5/10 | Ingress Nginx Backend Service Has No Active Endpoints | The ingress-nginx controller has detected that a service does not have any active endpoints. This typically happens when the service selector does not match any pods or the pods are not in a ready state. The controller logs a warning message indicating that the service does not have any active endpoints. | Ingress Problems | ingress-nginx | NginxIngressKubernetesService |
| prequel-2025-0104 Medium Impact: 5/10 Mitigation: 4/10 | Ingress Nginx can't obtain X.509 certificate | The Nginx ingress encountered an error while trying to obtain an X.509 certificate from the Kubernetes secret. | Ingress Problems | ingress-nginx | KubernetesCertificateNginxIngress |
| prequel-2025-0105 Medium Impact: 7/10 Mitigation: 5/10 | Karpenter NodePool budget exceeded; Pods cannot be scheduled | Karpenter is used to automatically provision Kubernetes nodes. NodePools can define a maximum budget for total resource usage to prevent unexpectedly expensive cloud bills. When the budget is reached, Karpenter will stop provisioning new nodes and new pods will fail to schedule. | Autoscaling Problems | karpenter | KarpenterKubernetesAutoscalingCapacityBudgets |
| prequel-2025-0106 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Bitnami Image Pull Events | - Detects Kubernetes events where Bitnami container images are being pulled from Docker Hub. - Monitors image pull operations for Bitnami images across all namespaces. - Identifies usage of Bitnami images that may be affected by upcoming catalog changes. - Tracks container deployments using Bitnami images for migration planning. | Container Security | kubernetes | KubernetesBitnamiContainer ImagesImage PullsDocker HubMigration PlanningCatalog Changes |
| prequel-2025-0107 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Bitnami Image Pull Error | - Detects Kubernetes events where Bitnami container image pulls are failing due to repository deprecation. - Monitors image pull failures for Bitnami images as they approach the August 28, 2025 deprecation deadline. - Identifies specific error conditions when Bitnami images become unavailable from deprecated repositories. - Tracks container deployment failures due to Bitnami image repository deprecation. | Container Security | kubernetes | KubernetesBitnamiContainer ImagesImage Pull ErrorsDocker HubRepository DeprecationMigration Required |
| prequel-2025-0108 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Deprecated Bitnami Repository Image Pulls | - Detects Kubernetes events where container images are being pulled from the deprecated /bitnami repository on Docker Hub. - Monitors image pull operations specifically from docker.io/bitnami/* which will be discontinued. - Identifies usage of the deprecated Bitnami repository that requires immediate migration. - Tracks container deployments using the legacy /bitnami path for urgent migration planning. | Container Security | kubernetes | KubernetesBitnamiDeprecated RepositoryContainer ImagesImage PullsDocker Hub |
| prequel-2025-0109 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Legacy Bitnami Repository Image Pulls | - Detects Kubernetes events where container images are being pulled from the unmaintaing /bitnamilegacy repository on Docker Hub. - Monitors image pull operations specifically from docker.io/bitnamilegacy/* which is no longer maintained. - Identifies usage of the deprecated Bitnami repository that requires immediate migration. - Tracks container deployments using the legacy /bitnamilegacy path for urgent migration planning. | Container Security | kubernetes | KubernetesBitnamiContainer ImagesImage PullsDocker HubSecurity |
| prequel-2025-0110 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Bitnami Secure Image Pull Events - Designed for Non-Prod Usage Only | - Detects Kubernetes events where Bitnami Secure container images are being pulled. - Monitors image pull operations for Bitnami Secure images which cannot be pinned to specific versions. - Identifies usage of Bitnami Secure images that lack version pinning capabilities for production stability. - Tracks container deployments using unpinnable Bitnami Secure images for compliance monitoring. | Container Security | kubernetes | KubernetesBitnamiContainer ImagesImage PullsDev Only |
| prequel-2025-0111 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Deprecated Bitnami Repository Image Pulls | - Detects Kubernetes events where container images are being pulled from the deprecated /bitnami repository on Docker Hub. - Monitors image pull operations specifically from docker.io/bitnami/* which will be discontinued. - Identifies usage of the deprecated Bitnami repository that requires immediate migration. - Tracks container deployments using the legacy /bitnami path for urgent migration planning. | Container Security | v1 | KubernetesBitnamiDeprecated RepositoryContainer ImagesImage PullsDocker Hub |
| prequel-2025-0112 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Deployment CPU Requests Missing | - Detects Kubernetes Deployment resources without CPU requests configured on containers. - Monitors deployment specifications where containers lack proper CPU request definitions. - Identifies resource management violations that can lead to poor cluster scheduling. - Tracks deployments that may cause resource contention and performance issues. | Resource Management | v1 | KubernetesDeploymentCPU Requestsresource-managementSchedulingPerformance |
| prequel-2025-0113 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Deployment CPU Limits Missing | - Detects Kubernetes Deployment resources without CPU limits configured on containers. - Monitors deployment specifications where containers lack proper CPU limit definitions. - Identifies resource management violations that can lead to resource exhaustion. - Tracks deployments that may consume excessive CPU resources without bounds. | Resource Management | v1 | KubernetesDeploymentCPU Limitsresource-managementResource ExhaustionPerformance |
| prequel-2025-0114 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Deployment Memory Requests Missing | - Detects Kubernetes Deployment resources without memory requests configured on containers. - Monitors deployment specifications where containers lack proper memory request definitions. - Identifies resource management violations that can lead to poor scheduling decisions. - Tracks deployments that may cause memory pressure and OOM conditions. | Resource Management | v1 | KubernetesDeploymentMemory Requestsresource-managementSchedulingOOM |
| prequel-2025-0115 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Deployment Memory Limits Missing | - Detects Kubernetes Deployment resources without memory limits configured on containers. - Monitors deployment specifications where containers lack proper memory limit definitions. - Identifies resource management violations that can lead to memory exhaustion. - Tracks deployments that may consume excessive memory resources without bounds. | Resource Management | v1 | KubernetesDeploymentMemory Limitsresource-managementMemory ExhaustionOOM |
| prequel-2025-0116 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Deployment Liveness Probe Missing | - Detects Kubernetes Deployment resources without liveness probes configured on containers. - Monitors deployment specifications where containers lack proper health check definitions. - Identifies reliability violations that can lead to undetected application failures. - Tracks deployments that may run unhealthy containers without automatic recovery. | Kubernetes Best Practices | v1 | KubernetesDeploymentLiveness ProbeHealth ChecksReliabilityAvailability |
| prequel-2025-0117 Medium Impact: 0/10 Mitigation: 0/10 | Kubernetes Deployment Readiness Probe Missing | - Detects Kubernetes Deployment resources without readiness probes configured on containers. - Monitors deployment specifications where containers lack proper readiness check definitions. - Identifies reliability violations that can lead to premature traffic routing. - Tracks deployments that may receive traffic before being fully ready to handle requests. | Kubernetes Best Practices | v1 | KubernetesDeploymentReadiness ProbeHealth ChecksReliabilityTraffic Routing |