yaml Errors
218 error patterns
Ansible SSH connection failure
ansible.*UNREACHABLE.*Failed to connect to the host via ssh
- •Verify SSH key is loaded: ssh-agent and ssh-add
- •Check ansible_host, ansible_user, ansible_ssh_private_key_file in inventory
Ansible permission denied during task
ansible.*FAILED.*msg.*Permission denied
- •Add 'become: yes' and 'become_method: sudo' to the task/playbook
- •Ensure the ansible user has sudo privileges on the target
Ansible sudo timeout
ansible.*FAILED.*msg.*Timeout.*waiting for privilege escalation
- •Configure NOPASSWD in sudoers for the ansible user
- •Set ansible_become_password in vault-encrypted variables
Ansible invalid module attribute
ansible.*module_stderr.*is not a valid attribute for
- •Check module documentation for correct parameter names
- •Update Ansible to a version that supports the attribute
GitHub Actions step failed with exit code 1
github actions.*Error: Process completed with exit code 1.*run:
- •Add 'set -e' awareness and check individual command exit codes
- •Use 'continue-on-error: true' if failure is acceptable
GitHub Actions artifact not found for download
github actions.*Error: .*/download-artifact.*no artifacts found
- •Ensure upload-artifact step ran successfully in the same workflow run
- •Match artifact name exactly between upload and download steps
GitHub Actions matrix exclude doesn't match
github actions.*matrix.*exclude.*does not match any configuration
- •Ensure exclude values exactly match the matrix combinations
- •Use include to add specific combinations instead of complex excludes
GitHub Actions reusable workflow not found
github actions.*Error:.*reusable workflow.*not found
- •Use full path: owner/repo/.github/workflows/file.yml@ref
- •Ensure the workflow file exists on the referenced branch/tag
GitHub Actions OIDC token retrieval failure
github actions.*Error:.*OIDC.*token.*could not be retrieved
- •Add 'permissions: id-token: write' to the job
- •Verify the OIDC provider trust policy accepts the repo/branch
ArgoCD application sync failure
argocd.*ComparisonError.*unable to.*sync.*application
- •Check ArgoCD UI for detailed sync error on each resource
- •Verify Git repository is accessible with configured credentials
ArgoCD sync hook failure
argocd.*OutOfSync.*Hook.*failed
- •Check hook Job/Pod logs for error details
- •Ensure hook has correct annotation: argocd.argoproj.io/hook
ArgoCD deployment health degraded - deadline exceeded
argocd.*health.*degraded.*Progressing.*deadline exceeded
- •Increase progressDeadlineSeconds in Deployment spec
- •Check Pod events for scheduling/pull/crash issues
Helm chart template rendering error
helm.*template.*Error:.*render error in.*template
- •Run 'helm template --debug' to see where rendering fails
- •Check for nil values - use 'default' function or 'if' guards
Helm upgrade failed - operation in progress
helm.*Error:.*UPGRADE FAILED.*another operation.*in progress
- •Run 'helm rollback <release> <revision>' to fix pending state
- •Use 'helm history <release>' to find last successful revision
Helm resource already exists (not managed by this release)
helm.*Error:.*rendered manifests contain a resource that already exists
- •Add helm.sh/resource-policy: keep annotation if resource should be adopted
- •Use --force flag on upgrade to overwrite
Prometheus scrape target timeout
prometheus.*scrape_error.*context deadline exceeded
- •Increase scrape_timeout in prometheus.yml job config
- •Check target endpoint is responding within timeout
Prometheus Alertmanager webhook notification failure
prometheus.*alertmanager.*notification failed.*webhook
- •Verify webhook URL is accessible from Alertmanager
- •Check webhook receiver endpoint returns 2xx status
Grafana datasource proxy returning 502
grafana.*datasource.*proxy error.*502
- •Verify datasource URL is accessible from Grafana server
- •Check datasource authentication credentials
Istio service mesh no healthy upstream
istio.*upstream connect error.*503.*no healthy upstream
- •Check destination pod health and readiness probes
- •Verify DestinationRule and VirtualService configuration
Istio authorization policy denied request
istio.*RBAC:.*access denied.*403
- •Review AuthorizationPolicy rules for the target service
- •Check source principal (service account) matches allow rules
Linkerd mTLS connection failure
linkerd.*Failed to establish connection.*TLS handshake
- •Check proxy identity certificates haven't expired
- •Verify trust anchors are consistent across the mesh
Load balancer target health check failure
load balancer.*health check.*unhealthy.*threshold reached
- •Verify health check endpoint returns 200 status
- •Check health check path, port, and protocol match application config
GitHub Actions annotations limit exceeded
github actions.*Error:.*Annotations.*limit.*exceeded
- •Reduce the number of warning/error annotations per step
- •Batch similar annotations into a single summary
ArgoCD destination cluster not found
argocd.*InvalidSpecError.*destination.*server.*not found
- •Register the cluster: argocd cluster add <context>
- •Verify cluster URL matches exactly in application spec
Helm values schema validation failure
helm.*Error:.*values don't meet the specifications.*schema validation
- •Check values against the chart's values.schema.json
- •Ensure required values are provided in -f values.yaml or --set
Prometheus TSDB compaction failure due to disk space
prometheus.*tsdb.*compaction failed.*out of.*disk space
- •Free disk space or expand storage volume
- •Reduce retention: --storage.tsdb.retention.time and retention.size
Ansible Jinja2 undefined variable error
ansible.*FAILED.*msg.*Jinja2.*UndefinedError
- •Define the variable in vars, group_vars, or host_vars
- •Use default filter: {{ my_var | default('fallback') }}
GitHub Actions container action not supported on runner
github actions.*Error:.*Container.*action.*is not supported.*runner
- •Use a Linux runner for container actions (not Windows/macOS)
- •Switch to a JavaScript action alternative
Istio circuit breaker activated
istio.*circuit breaker.*tripped.*consecutive.*errors
- •Check upstream service health and fix failing pods
- •Adjust outlierDetection settings in DestinationRule
Load balancer SSL certificate expired
load balancer.*SSL.*certificate.*expired
- •Renew the certificate and update the LB listener
- •Use cert-manager or ACM for automatic certificate renewal
Ansible become method not available
ansible.*FAILED.*msg.*Could not find.*become.*method
- •Install the become method binary on the target (sudo, doas, etc.)
- •Change become_method to one available on target: ansible_become_method=su
Ansible Jinja2 filter not found
ansible.*FAILED.*msg.*AnsibleFilterError.*No filter named
- •Install required Ansible collection providing the filter
- •Check filter name spelling and required imports
GitHub Actions required input not supplied
github actions.*Error: Input required and not supplied.*input
- •Pass required inputs in workflow_call trigger or action 'with' block
- •Add default values in the action/workflow input definition
GitHub Actions token lacks required permission
github actions.*Error:.*resource not accessible by integration
- •Add required permissions to the workflow: permissions: { issues: write }
- •Use a PAT or GitHub App token for cross-repo operations
ArgoCD sync failed - target namespace doesn't exist
argocd.*SyncError.*namespace.*not found
- •Create namespace manually or add it to the Application manifests
- •Set CreateNamespace=true in sync options
ArgoCD GPG signature verification failure
argocd.*error.*gpg signature.*verification failed
- •Add the signing key to ArgoCD GPG keys config
- •Disable GPG verification if not required: --insecure in repo config
Helm chart uses deprecated/removed Kubernetes API
helm.*Error:.*apiVersion.*not found.*deprecated
- •Update chart templates to use current API versions (e.g., apps/v1)
- •Use 'helm mapkubeapis' plugin to fix old releases
Prometheus rule evaluation exceeding interval
prometheus.*rule_group.*evaluation.*took longer than.*interval
- •Optimize PromQL queries in the slow rule group
- •Increase evaluation_interval for expensive rule groups
Istio sidecar injection webhook failure
istio.*sidecar injection.*failed.*webhook
- •Check istiod is running and healthy
- •Verify webhook certificate hasn't expired
Linkerd identity certificate expired
linkerd.*error.*could not verify identity.*expired certificate
- •Rotate trust anchor and issuer certificates
- •Use 'linkerd check --proxy' to diagnose certificate issues
Load balancer backend connection timeout despite healthy
load balancer.*backend.*connection timeout.*health check passed
- •Increase backend timeout settings (separate from health check)
- •Check application isn't overloaded (request timeout vs health check)
Ansible loop variable undefined
ansible.*FAILED.*msg.*Items.*is undefined
- •Check 'loop' or 'with_items' variable is defined and not empty
- •Use 'when: my_list is defined and my_list | length > 0'
GitHub Actions cache size limit exceeded
github actions.*Error.*cache.*size exceeds.*limit
- •Reduce cache paths to only essential directories
- •Use more specific cache keys to avoid bloated caches
ArgoCD too many resources for diff computation
argocd.*ComparisonError.*too many resources.*skipping diff
- •Split application into multiple smaller ArgoCD Applications
- •Use ApplicationSet for managing many similar resources
Helm lookup function not available in template mode
helm.*Error:.*lookup.*function.*not allowed.*template
- •lookup only works during install/upgrade, not 'helm template'
- •Provide values via --set or values.yaml instead of cluster lookup
Prometheus WAL (Write-Ahead Log) corruption
prometheus.*tsdb.*WAL.*corrupted
- •Delete corrupted WAL segments and restart Prometheus
- •Use promtool tsdb recover-wal to attempt recovery
Istio VirtualService destination host not found
istio.*VirtualService.*route.*destination.*host.*not found
- •Ensure destination host matches a Kubernetes Service name
- •Use FQDN: service-name.namespace.svc.cluster.local
Ansible dict attribute access error
ansible.*FAILED.*msg.*dict object.*has no attribute
- •Use bracket notation: my_dict['key'] instead of my_dict.key
- •Check dict structure with debug: msg={{ my_dict | to_nice_json }}
GitHub Actions workflow YAML syntax error
github actions.*Error:.*Workflow.*is not valid.*YAML syntax
- •Validate YAML with a linter (yamllint, VS Code YAML extension)
- •Check for indentation issues and special character escaping
ArgoCD git repository authentication failure
argocd.*error.*repository.*authentication required
- •Update repository credentials in ArgoCD settings
- •Use SSH key or deploy token for private repositories
Helm CRD owned by another release
helm.*Error:.*CRD.*already exists.*owned by another release
- •CRDs should be installed separately from the chart
- •Use --skip-crds flag if CRDs are managed externally
Prometheus remote write queue full - samples dropped
prometheus.*remote_write.*queue.*full.*dropping samples
- •Increase queue_config capacity and max_shards
- •Check remote storage endpoint throughput
Istio gateway port already bound
istio.*gateway.*port conflict.*already bound
- •Check for duplicate Gateway resources binding same port
- •Use different ports for different gateways
Linkerd service discovery lookup failure
linkerd.*error:.*destination.*service discovery.*lookup failed
- •Ensure destination service is running and has endpoints
- •Check ServiceProfile resources for correct service FQDN
Load balancer surge queue full causing 5xx
load balancer.*5xx.*surge queue.*full
- •Increase backend capacity (scale up/out)
- •Increase surge queue length if supported by LB type
Ansible package not found in repositories
ansible.*FAILED.*msg.*No package matching.*found available
- •Enable the required repository on the target system
- •Check package name matches the target OS package manager naming
GitHub Actions workflow cancelled by concurrency group
github actions.*Error:.*concurrency.*cancel-in-progress.*cancelled
- •Remove cancel-in-progress if concurrent runs should queue
- •Use unique concurrency group keys per branch/PR
ArgoCD sync waiting for CRD to be ready
argocd.*error.*resource.*CRD.*not ready
- •Apply CRDs first using sync waves: argocd.argoproj.io/sync-wave: '-1'
- •Use ServerSideApply sync option for CRD resources
Helm YAML parse error from tabs
helm.*Error:.*YAML.*parse error.*did you use tabs
- •Replace all tabs with spaces in YAML templates
- •Configure editor to insert spaces for indentation
Pod not scheduled due to taint
node.*had taint.*that the pod didn't tolerate
- •Add matching toleration to pod spec
- •Remove taint from node
Pod node affinity not matched
didn't match Pod's node affinity|nodeAffinity
- •Verify node labels match affinity selectors
- •Use preferredDuringScheduling for soft affinity
Topology spread constraint unsatisfiable
topology spread constraint.*not satisfiable
- •Set whenUnsatisfiable: ScheduleAnyway
- •Add topology labels to nodes
Pod anti-affinity prevents scheduling
didn't match pod anti-affinity|podAntiAffinity
- •Spread pods across topology domains
- •Use preferredDuringScheduling
Insufficient resources for scheduling
Insufficient (cpu|memory).*nodes are available
- •Reduce resource requests
- •Scale up cluster nodes
StatefulSet pod ordering stuck
StatefulSet.*pod.*has.*not ready|OrderedReady
- •Fix previous pod health check
- •Use podManagementPolicy: Parallel
PVC pending - no PV available
persistentvolumeclaim.*Pending.*no persistent volumes available
- •Create PV matching PVC storageClass
- •Enable dynamic provisioning with StorageClass
StatefulSet PVC retention blocking scale-down
StatefulSet.*stuck.*delete.*PVC.*retain
- •Set persistentVolumeClaimRetentionPolicy
- •Manually delete orphaned PVCs
Headless service has no endpoints
headless service.*no endpoints|ClusterIP.*None.*no endpoints
- •Verify pod labels match service selector
- •Check pods are Ready
Operator reconciler error with requeue
reconciler error.*requeue
- •Add exponential backoff to requeue
- •Handle transient errors separately
Finalizer blocking resource deletion
finalizer.*blocking deletion|cannot delete.*finalizer
- •Implement finalizer cleanup logic
- •Remove finalizer patch if orphaned
Operator status subresource update failure
status subresource.*not updated|cannot update.*status
- •Use Status().Update() not Update()
- •Enable status subresource in CRD spec
Network policy blocking traffic
NetworkPolicy.*ingress.*denied|connection timed out.*network policy
- •Add ingress rule allowing source pod labels
- •Add egress rule for destination
RBAC permission denied
forbidden.*RBAC.*cannot.*get|User.*cannot.*verb.*resource
- •Add verb to Role/ClusterRole
- •Bind role to correct service account
ServiceAccount not found in binding
serviceaccount.*not found.*binding
- •Create ServiceAccount in correct namespace
- •Match SA name in RoleBinding subject
PV stuck in Released state
PersistentVolume.*Released.*not available
- •Change reclaimPolicy to Retain and rebind
- •Delete and recreate PV
Volume multi-attach error
Multi-Attach error.*volume.*already.*attached.*node
- •Use ReadWriteMany access mode
- •Wait for pod eviction from old node
Admission webhook denied request
admission webhook.*denied the request
- •Check webhook validation rules
- •Fix resource spec to pass validation
CRD conversion webhook failure
conversion webhook.*failed.*convert
- •Implement conversion between API versions
- •Check webhook service is running
CRD validation schema error
CustomResourceDefinition.*invalid.*validation
- •Fix OpenAPI schema in CRD spec
- •Add required fields to schema
Pod Security Admission violation
pod security.*violates.*PodSecurity.*restricted|baseline
- •Set securityContext to match policy level
- •Add runAsNonRoot: true
Seccomp profile not found or forbidden
seccomp.*profile.*not found|Forbidden.*seccomp
- •Use RuntimeDefault seccomp profile
- •Install custom profile on nodes
AppArmor profile not loaded
AppArmor.*profile.*not found|Failed to apply AppArmor
- •Load AppArmor profile on nodes
- •Use runtime/default profile
Container image signature verification failed
image.*not signed|signature verification failed
- •Sign image with cosign/notation
- •Add image to allow list
Container in CrashLoopBackOff
Back-off restarting failed container|CrashLoopBackOff
- •Check container logs with kubectl logs
- •Verify command and args in container spec
Image pull failure
failed to pull.*image.*not found|ErrImagePull|ImagePullBackOff
- •Verify image name and tag exist
- •Configure imagePullSecrets for private registry
Container OOM killed
OOMKilled|out of memory
- •Increase memory limits
- •Optimize application memory usage
Readiness probe failing
Readiness probe failed.*connection refused
- •Increase initialDelaySeconds
- •Verify probe port matches container port
StorageClass not found
StorageClass.*not found|no.*default StorageClass
- •Create StorageClass resource
- •Set storageClassName in PVC
Volume mounted read-only unexpectedly
volume.*mount.*read-only file system
- •Set readOnly: false in volumeMount
- •Check PV access mode is ReadWriteOnce
RBAC privilege escalation denied
ClusterRole.*escalation.*not allowed
- •Ensure granting user has the permissions
- •Add escalate verb to user's role
Ingress host conflict
Ingress.*host.*already defined|conflicting.*ingress
- •Use unique host per ingress
- •Merge rules into single ingress
HPA cannot get metrics
HorizontalPodAutoscaler.*unable to get metrics
- •Verify metrics-server is running
- •Set resource requests on containers
Pod waiting on unbound PVC
Pod.*FailedScheduling.*unbound.*PersistentVolumeClaim
- •Create matching PV or enable dynamic provisioning
- •Check PVC storageClass exists
ConfigMap/Secret not found for mount
configmap.*not found|secret.*not found.*mount
- •Create ConfigMap/Secret before pod
- •Use optional: true in volume source
Pod evicted for ephemeral storage
Evicted.*ephemeral-storage.*exceeded
- •Increase ephemeral-storage limit
- •Clean up temp files in container
Operator lost leader election
operator.*leader election.*lost
- •Increase lease duration
- •Check pod health and network
ResourceQuota exceeded
cannot create resource.*quota.*exceeded
- •Increase quota limits
- •Delete unused resources
Service references non-existent port name
Service.*has no.*port.*named
- •Add named port to container spec
- •Match targetPort to container port name
Deployment exceeded progress deadline
Deployment.*exceeded.*progress deadline|ProgressDeadlineExceeded
- •Increase progressDeadlineSeconds
- •Fix pod startup issues
Job exceeded backoff limit
Job.*BackoffLimitExceeded
- •Increase backoffLimit
- •Fix underlying job failure
Kubernetes DNS resolution failure
DNS.*resolution failed|could not resolve.*service
- •Check CoreDNS pods are running
- •Verify service name and namespace
CronJob missed start times
CronJob.*too many.*missed start time|TooManyMissedStartTimes
- •Set startingDeadlineSeconds
- •Use concurrencyPolicy: Replace
Validating webhook configuration failure
failed to create.*validating webhook configuration
- •Verify caBundle is base64 CA certificate
- •Check webhook service endpoint is reachable
SecurityContext forbidden by policy
cannot.*create.*resource.*Forbidden.*SecurityContext
- •Set runAsNonRoot: true
- •Remove privileged: true
Volume already attached to different node
unable to attach.*volume.*already attached.*different node
- •Wait for pod on old node to terminate
- •Force detach volume from old node
Submariner gateway connection failure
submariner.*gateway.*not connected
- •Verify gateway nodes can reach each other
- •Check IPsec/WireGuard port connectivity
Federation cluster join failure
federation.*cluster.*not reachable|kubefed.*join.*failed
- •Verify cluster API endpoint accessible
- •Check federation controller credentials
PDB blocking pod eviction
PodDisruptionBudget.*blocking.*eviction|Cannot evict.*PDB
- •Adjust minAvailable/maxUnavailable
- •Scale up before maintenance
Init container failed
init container.*failed|Init:Error|Init:CrashLoopBackOff
- •Check init container logs
- •Verify init container dependencies available
LimitRange prevents resource request
LimitRange.*forbidden.*exceeds.*limit
- •Set resources within LimitRange bounds
- •Adjust LimitRange limits
Istio sidecar injection failure
istio.*sidecar.*injection.*failed|sidecar.*not injected
- •Label namespace with istio-injection=enabled
- •Check MutatingWebhookConfiguration
Host port already in use
cannot bind.*port.*already in use|hostPort.*conflict
- •Change hostPort or container port
- •Use NodePort service instead
Operator cannot watch namespace
operator.*watched namespace.*RBAC
- •Add namespace to operator RBAC
- •Use cluster-scoped role for multi-ns
VolumeSnapshot not ready
VolumeSnapshot.*not ready|snapshot.*error
- •Verify VolumeSnapshotClass exists
- •Check CSI driver supports snapshots
Endpoint not ready during termination
Endpoint.*NotReady.*serving.*terminating
- •Add preStop hook for graceful drain
- •Set terminationGracePeriodSeconds
TLS certificate expired
certificate.*expired|tls.*certificate.*not valid
- •Renew certificate (cert-manager auto-renew)
- •Check cert-manager issuer status
DaemonSet pod not scheduled
DaemonSet.*not scheduled.*unschedulable
- •Add tolerations for node taints
- •Check node selector matches
etcd timeout or leader change
etcd.*request timed out|etcd.*leader changed
- •Check etcd cluster health
- •Reduce etcd write load
kubectl cannot connect to cluster
kubectl.*unable to connect.*server.*refused
- •Check KUBECONFIG path
- •Verify cluster API server is running
PriorityClass missing or preemption failed
PriorityClass.*not found|preemption.*failed
- •Create PriorityClass resource
- •Use system-defined priority classes
Kubernetes optimistic concurrency conflict
cannot patch.*the object has been modified
- •Retry with fresh resourceVersion
- •Use strategic merge patch
CRD version not served
CustomResource.*version.*not served|storage version.*not found
- •Add version to CRD served versions
- •Implement conversion webhook
Operator cache not synced
operator.*cache.*not started|informer.*not synced
- •Wait for cache sync in reconciler
- •Use mgr.GetCache().WaitForCacheSync()
Foreground deletion blocked by dependents
cannot.*delete.*propagation.*Foreground.*blocked
- •Use Background propagation policy
- •Delete dependents first
RuntimeClass handler not available
RuntimeClass.*not found|handler.*not available
- •Install container runtime (gVisor/Kata)
- •Create RuntimeClass matching handler
Network policy blocks DNS egress
NetworkPolicy.*egress.*denied.*DNS
- •Add egress rule for DNS (port 53 UDP/TCP)
- •Allow egress to kube-system namespace
CSI volume publish failure
CSI.*NodePublishVolume.*failed
- •Check CSI driver is running on node
- •Verify volume capabilities match
Admission webhook timeout
webhook.*timeout.*context deadline exceeded
- •Increase webhook timeoutSeconds
- •Optimize webhook processing
Pod requires runAsNonRoot but image runs as root
cannot create pods.*security context.*runAsNonRoot
- •Set runAsUser to non-zero in securityContext
- •Rebuild image with non-root USER directive
HPA at min replicas during scale-down
Horizontal Pod Autoscaler.*not able to scale.*min.*replicas
- •Reduce minReplicas if appropriate
- •Check scaleDown stabilization window
kube-proxy iptables rules missing
kube-proxy.*iptables.*KUBE-SVC.*not found
- •Restart kube-proxy daemonset
- •Check kube-proxy mode (iptables vs ipvs)
Mutating webhook cert invalid
MutatingWebhook.*certificate.*invalid
- •Rotate webhook certificate
- •Update caBundle in webhook config
StatefulSet volumeClaimTemplates immutable
StatefulSet.*cannot be updated.*spec.*volumeClaimTemplates
- •Delete and recreate StatefulSet (orphan pods)
- •Create new StatefulSet with new template
ExternalName service DNS not resolving
Service.*ExternalName.*CNAME.*not resolving
- •Verify external hostname is resolvable
- •Check CoreDNS can resolve external names
Kustomize resource not found in base
kustomize.*resource.*not found.*base
- •Verify resource path in kustomization.yaml
- •Check relative path from kustomization location
Helm template rendering error
helm.*template.*render.*error|helm.*values.*type mismatch
- •Check values.yaml types match template
- •Use helm template --debug for output
Container cgroup memory throttling
cgroup.*memory.*limit reached.*throttled
- •Increase memory limit
- •Enable memory swap if appropriate
Container runtime not running on node
unable to ensure pod.*container runtime.*not running
- •Restart containerd/docker on node
- •Check runtime socket exists
Projected volume SA token audience mismatch
projected.*volume.*serviceAccountToken.*audience.*not found
- •Configure audience in pod volume spec
- •Check API server --api-audiences flag
Operator reconciler rate limited
operator.*controller.*too many requeues|rate.*limiter.*exceeded
- •Increase rate limiter parameters
- •Add exponential backoff
EndpointSlice overflow
EndpointSlice.*too many.*endpoints|Endpoints.*overflowing
- •Use EndpointSlice API (auto-splits at 100)
- •Reduce service backends
VPA no recommendation available
VerticalPodAutoscaler.*recommendation.*not available
- •Wait for metrics collection period
- •Verify VPA recommender is running
Topology label not present on nodes
topology.*constraint.*label.*not present on node
- •Add topology label to nodes
- •Use well-known labels (topology.kubernetes.io)
Gateway API GatewayClass not accepted
gateway.*API.*GatewayClass.*not accepted
- •Install gateway controller for the class
- •Check GatewayClass controller matches installed
Operator webhook cert secret missing
operator.*webhook.*cert.*secret.*not found
- •Create cert secret manually
- •Configure cert-manager Certificate resource
Dynamic PV provisioning parameter error
Dynamic provisioning.*failed.*parameters.*invalid
- •Check StorageClass parameters for typos
- •Verify provisioner supports the parameters
Pod sandbox creation conflict
pod.*sandbox.*already exists.*cannot create
- •Delete old sandbox with crictl
- •Restart kubelet on affected node
Image policy webhook denied image
ImagePolicyWebhook.*denied.*image not in allowlist
- •Add image to allowed registry list
- •Sign image per policy requirements
SonarQube quality gate failed
SonarQube.*quality gate.*failed|Quality Gate Status: FAILED
- •Fix issues above threshold
- •Reduce code smells or duplications
SonarQube security hotspot needs review
SonarQube.*security hotspot.*Review|hotspot.*needs review
- •Review and resolve as safe/fixed
- •Apply recommended secure pattern
SonarQube cognitive complexity too high
SonarQube.*code smell.*cognitive complexity.*exceeds
- •Extract methods to reduce complexity
- •Simplify conditional logic
SonarQube potential null dereference
SonarQube.*bug.*null.*dereference|potential null pointer
- •Add null check before access
- •Use optional chaining
Mutation testing - survivor detected
mutation.*survived|mutant.*survived.*not killed
- •Add assertion that catches the mutation
- •Test boundary conditions
Mutation testing - mutant timeout
mutation.*timeout.*exceeded|mutant.*timed out
- •Increase mutation test timeout
- •Optimize test execution speed
Mutation testing - equivalent mutant
equivalent mutant.*no test can kill
- •Mark as equivalent if semantically identical
- •Refactor code to eliminate equivalence
SonarQube scanner connection failure
SonarQube.*scanner.*failed.*connect|sonar.*server.*unreachable
- •Check SONAR_HOST_URL configuration
- •Verify network access to SonarQube
Mutation score below threshold
mutation.*score.*below.*threshold|mutation score.*insufficient
- •Add more meaningful assertions
- •Test edge cases and boundaries
SonarQube code duplication threshold
SonarQube.*duplicated.*lines.*threshold|duplication.*exceeded
- •Extract common code to shared function
- •Use inheritance or composition
SonarQube SQL injection vulnerability
SonarQube.*vulnerability.*SQL injection|sonar.*injection.*flaw
- •Use parameterized queries
- •Apply ORM/query builder
SonarQube coverage below threshold
SonarQube.*coverage.*below.*threshold|coverage.*on new code.*insufficient
- •Add unit tests for uncovered code
- •Focus on new code coverage
Stryker no mutants generated
mutation.*stryker.*no.*mutants.*generated
- •Check mutator configuration
- •Verify source files are included
Stryker sandbox creation failure
Stryker.*sandbox.*error|mutation.*sandbox.*failed to create
- •Check tempDir permissions
- •Increase available disk space
SonarQube token invalid
SonarQube.*analysis.*token.*invalid|authentication.*required
- •Generate new token in SonarQube UI
- •Set SONAR_TOKEN environment variable
PIT mutation - no mutations for class
mutation.*pitest.*no mutations.*class
- •Check targetClasses configuration
- •Verify source is not excluded
SonarQube branch analysis failure
SonarQube.*branch.*not found|sonar.*branch.*analysis.*failed
- •Set sonar.branch.name parameter
- •Verify branch exists in project
SonarQube exclusion pattern malformed
SonarQube.*exclusion.*pattern.*invalid|sonar\.exclusions.*malformed
- •Use correct glob syntax for exclusions
- •Separate patterns with commas
Mutation testing incremental baseline missing
mutation.*incremental.*baseline.*not found
- •Run full mutation analysis first
- •Configure baseline report path
API Gateway Rate Limit Exceeded
API.*Gateway.*rate.*limit.*exceeded.*429
- •Implement client-side rate limiting and backoff
- •Request rate limit increase for production
API Gateway Not Forwarding Auth Header
API.*Gateway.*authorization.*header.*not.*forwarded
- •Add Authorization to allowed headers in gateway config
- •Check header transformation rules aren't stripping it
API Gateway Request Transformation Error
API.*Gateway.*request.*transformation.*failed
- •Validate transformation template syntax
- •Check request body/path params are accessible in template
API Gateway Backend Integration Timeout
API.*Gateway.*timeout.*integration.*\d+ms
- •Increase gateway timeout (max 29s for AWS API Gateway)
- •Optimize backend response time
API Gateway Burst Throttling
API.*Gateway.*\d+.*throttling.*burst
- •Increase burst limit in usage plan
- •Implement request queuing on client side
Envoy Proxy Upstream Connection Failure
envoy.*upstream.*connection.*failure.*503
- •Check upstream cluster endpoints are healthy
- •Verify Envoy cluster discovery service is configured
Istio Sidecar Injection Failed
istio.*sidecar.*injection.*failed
- •Label namespace with istio-injection=enabled
- •Check MutatingWebhookConfiguration for istiod
Service Mesh mTLS Not Enforced
service.*mesh.*mTLS.*PERMISSIVE.*plaintext
- •Set PeerAuthentication mode to STRICT
- •Verify all services have sidecar proxies
API Gateway WebSocket Upgrade Rejected
API.*Gateway.*websocket.*upgrade.*rejected
- •Enable WebSocket support in gateway configuration
- •Set correct route for WebSocket upgrade path
Load Balancer All Backends Unhealthy
load.*balancer.*all.*backends.*unhealthy
- •Check health check endpoint path and expected response
- •Verify backend security groups allow health check traffic
Istio VirtualService Not Applied
service.*mesh.*traffic.*routing.*VirtualService.*not.*applied
- •Check VirtualService gateway and host fields match
- •Verify namespace selector in VirtualService
Envoy Route Not Matched
envoy.*route.*not.*matched.*404
- •Check route_config match prefix/path/regex
- •Verify virtual host domain matches request Host header
Service Mesh Outlier Detection Ejection
service.*mesh.*circuit.*breaking.*ejected
- •Check DestinationRule outlier detection settings
- •Verify ejected instances can recover (health check)
API Gateway Request Body Mapping Returns Null
API.*Gateway.*request.*body.*mapping.*null
- •Check content-type header matches mapping template
- •Verify request body is not consumed by authorization
API Gateway JWT Authorizer Denied
API.*Gateway.*JWT.*authorizer.*403
- •Verify JWT audience matches API Gateway resource
- •Check JWT issuer is configured in authorizer
Service Mesh Certificate Expired (Auto-Rotation)
service.*mesh.*mTLS.*certificate.*expired.*rotation
- •Check cert-manager or Citadel is running
- •Verify certificate rotation job is healthy
Docker Compose Health Check Retries Exceeded
docker-compose.*healthcheck.*unhealthy.*retries exceeded
- •Increase retries and start_period in healthcheck config
- •Verify health check command works inside container
Docker Compose depends_on condition Not Met
docker-compose.*depends_on.*condition.*service_healthy
- •Add healthcheck to dependency service definition
- •Use condition: service_healthy in depends_on
Docker Compose Build Arg Not Set
docker-compose.*build.*arg.*not.*set
- •Pass build arg in docker-compose.yml: args: [KEY=value]
- •Set build arg via .env file referenced in compose
Docker Compose Secrets Require Swarm Mode
docker-compose.*secrets.*not.*available.*swarm
- •Use Docker Swarm mode for secrets management
- •For compose v3, mount secrets as files via volumes
Docker Compose Network Creation Failed
docker-compose.*network.*driver.*failed.*create
- •Remove conflicting network: docker network prune
- •Check network name doesn't conflict with existing
Docker Compose Volume Permission Denied
docker-compose.*volume.*mount.*permission.*denied
- •Check host directory permissions and ownership
- •Use named volumes instead of bind mounts
Docker Compose Port Already in Use
docker-compose.*port.*already.*allocated
- •Find process using port: lsof -i :PORT
- •Change host port mapping: '8081:8080'
GitHub Actions Composite Action Using Field Error
GitHub Actions.*composite.*action.*using.*not.*supported
- •Composite actions use 'using: composite' not 'using: node20'
- •Each step in composite needs 'shell' field for run steps
GitHub Actions Dynamic Matrix fromJSON Error
GitHub Actions.*matrix.*dynamic.*fromJSON.*invalid
- •Ensure job output is valid JSON string
- •Use fromJson() in matrix: with proper escaping
GitHub Actions Job Output Not Available
GitHub Actions.*job.*output.*not.*available.*needs
- •Set output in job: echo 'key=value' >> $GITHUB_OUTPUT
- •Reference with needs.<job>.outputs.<key>
GitHub Actions Environment Protection Waiting
GitHub Actions.*environment.*protection.*required.*reviewers
- •Approve deployment in GitHub Actions UI
- •Add required reviewers in environment settings
GitHub Actions OIDC Federation Audience Mismatch
GitHub Actions.*OIDC.*token.*audience.*mismatch
- •Set audience in aws-actions/configure-aws-credentials
- •Verify OIDC provider audience matches in IAM trust policy
GitHub Actions OIDC Subject Claim Mismatch
GitHub Actions.*OIDC.*subject.*claim.*does not match
- •Check IAM role trust policy subject condition
- •Match repo:org/repo:ref:refs/heads/main format
GitHub Actions OIDC Token Permission Missing
GitHub Actions.*permissions.*id-token.*write.*required
- •Add permissions: id-token: write to job or workflow
- •Required for OIDC authentication with cloud providers
GitHub Actions Reusable Workflow Secrets Error
GitHub Actions.*reusable.*workflow.*secrets.*inherit
- •Use secrets: inherit to pass all secrets to reusable workflow
- •Or explicitly pass: secrets: MY_SECRET: ${{ secrets.MY_SECRET }}
GitHub Actions Concurrency Cancelled In-Progress Run
GitHub Actions.*concurrency.*group.*cancelled.*in-progress
- •Set cancel-in-progress: false to queue instead of cancel
- •Use unique concurrency group per PR/branch
GitHub Actions Artifact Upload Size Exceeded
GitHub Actions.*artifact.*upload.*failed.*size
- •Increase retention days or compress artifacts
- •Split large artifacts into multiple uploads
GitHub Actions Cache Miss
GitHub Actions.*cache.*key.*not found.*restore
- •Verify cache key matches: use hashFiles() for lock files
- •Add restore-keys for fallback partial matches
GitHub Actions Service Container Unhealthy
GitHub Actions.*service.*container.*unhealthy.*exit
- •Add options: --health-cmd to service definition
- •Increase health check interval and retries
GitHub Actions Matrix Exclude/Include Conflict
GitHub Actions.*matrix.*exclude.*include.*conflict
- •Exclude runs before include additions
- •Use include to add extra combinations, not override
Docker Compose Env File Not Found
docker-compose.*env_file.*not found
- •Create .env file in project root or specify path
- •Use env_file: - ./path/to/.env in service config
Docker Compose Image Pull Access Denied
docker-compose.*image.*pull.*access denied
- •Run docker login for private registry
- •Add registry credentials in compose or Docker config
Docker Compose depends_on Service Not Found
docker-compose.*depends_on.*service.*not found
- •Verify service name matches exactly in compose file
- •Check spelling and indentation of service definition
Docker Compose Profile Service Not Started
docker-compose.*profiles.*service.*not started
- •Activate profile: docker compose --profile <name> up
- •Add profiles: [dev] to service definition
Docker Compose Extension Field Error
docker-compose.*extension.*x-.*not.*supported
- •Use x- prefix for extension fields (compose 3.4+)
- •Reference with YAML anchor: *common-config
GitHub Actions Workflow Dispatch Missing Input
GitHub Actions.*workflow_dispatch.*inputs.*required
- •Provide required inputs when triggering manually
- •Set default values for inputs in workflow definition
GitHub Actions Path Filter Not Triggering
GitHub Actions.*path.*filter.*not.*triggering
- •Check path patterns match actual file changes
- •paths-ignore and paths are mutually exclusive
GitHub Actions Job Timeout Exceeded
GitHub Actions.*timeout.*exceeded.*job.*cancelled
- •Increase timeout-minutes in job config (default 360)
- •Optimize long-running steps or parallelize
GitHub Actions If Condition Syntax Error
GitHub Actions.*if.*condition.*syntax.*error
- •Use ${{ }} expression syntax in if conditions
- •Check operator: == not =, && not 'and'
GitHub Actions Deployment Environment Missing
GitHub Actions.*deployment.*environment.*not.*created
- •Create environment in repo Settings > Environments
- •Use environment: name-of-env in job definition
Docker Compose Container OOM Killed (Exit 137)
docker-compose.*container.*exited.*code.*137
- •Increase memory limit in deploy.resources.limits
- •Optimize application memory usage
Docker Compose Entrypoint Failed
docker-compose.*container.*exited.*code.*1.*entrypoint
- •Check entrypoint script has correct shebang and permissions
- •Verify entrypoint file has LF line endings (not CRLF)
GitHub Actions No Matching Runner
GitHub Actions.*runner.*no matching.*os.*label
- •Check runs-on label matches available runners
- •Use standard labels: ubuntu-latest, windows-latest, macos-latest
GitHub Actions Token Permission Insufficient
GitHub Actions.*token.*permissions.*403.*Resource not accessible
- •Add permissions block with required scopes to job
- •Use contents: write for push, pull-requests: write for PR
GitHub Actions Reusable Workflow Depth Exceeded
GitHub Actions.*workflow.*max.*depth.*exceeded.*reusable
- •Maximum 4 levels of reusable workflow nesting
- •Flatten workflow hierarchy by inlining steps