Troubleshooting Tips

May 23, 2026

Namespace and context

Mistake	Fast check
Wrong cluster context	`kubectl config current-context`
Resource created in wrong namespace	`kubectl get <resource> -A`
Service in one namespace, Pods in another	Services only select same-namespace Pods

kubectl config use-context <context>
kubectl config set-context --current --namespace=<ns>
kubectl get all -n <ns>

Labels and selectors

Symptom	Cause
Service has 0 Endpoints	Service selector does not match Pod labels
Only some Pods receive traffic	Only some Pods match selector
Deployment creates no Pods	Immutable selector mismatch

kubectl get svc <svc> -o jsonpath='{.spec.selector}'
kubectl get po --show-labels
kubectl get endpoints <svc>

RBAC

Mistake	Fix
Bound a missing ServiceAccount	Create SA first
RoleBinding in wrong namespace	RoleBinding must be in Role namespace
Missing app API group	Deployments need `apiGroups: [apps]`
Needs logs/exec	Add `pods/log` or `pods/exec`

kubectl auth can-i <verb> <resource> \
  --as=system:serviceaccount:<ns>:<sa> \
  -n <ns>

Ports

Field	Meaning
`containerPort`	App port inside Pod
Service `targetPort`	Port on selected Pods
Service `port`	Port clients use for Service
Ingress backend port	Service `port`, not `targetPort`

Probes

Liveness failure restarts containers
Readiness failure removes Pod from Service Endpoints
Aggressive liveness probes cause CrashLoopBackOff
Wrong readiness path can make a healthy app receive no traffic

ConfigMaps and Secrets

Symptom	Cause
`CreateContainerConfigError`	Missing ConfigMap/Secret/key
File missing in mounted path	Wrong `mountPath`, missing `subPath`, or key name mismatch
Env var absent	`envFrom` / `secretKeyRef` points to wrong object/key

NetworkPolicy

Default is allow until a policy selects Pods
podSelector: {} selects all Pods
Empty ingress: [] denies all ingress for selected Pods
Egress default-deny breaks DNS unless UDP/TCP 53 is allowed
Multiple from entries are OR; multiple selectors in one entry are AND

Storage

Symptom	Check
PVC Pending	`kubectl describe pvc`, StorageClass name
Mount failure	PVC bound? `claimName` correct?
StatefulSet data remains	PVCs are not deleted with StatefulSet

Commands that save time

kubectl describe pod <pod>
kubectl logs <pod> --previous
kubectl get events --sort-by=.metadata.creationTimestamp
kubectl label pod <pod> key=value --overwrite
kubectl get <resource> -o yaml

Final checklist

Practiced SA → Role → RoleBinding 5x
Can fix Service 0 Endpoints in under 2 min
Know port vs targetPort vs Ingress backend port
Can create a CronJob and trigger it with --from=cronjob
Can explain NetworkPolicy selector logic
Can debug ImagePullBackOff, CrashLoopBackOff, and CreateContainerConfigError