CRITICAL

How to Fix K8s ImagePullBackOff: Registry Authentication

Quick Fix Summary

TL;DR

Create and apply a Kubernetes Secret with your registry credentials to the affected namespace.

ImagePullBackOff occurs when a Kubernetes node cannot pull a container image from a registry. Authentication failures are a primary cause, blocking pod startup and halting production services.

Diagnosis & Causes

  • Missing or incorrect Docker registry credentials.
  • Secret not referenced in the Pod spec or ServiceAccount.
  • Expired or revoked authentication token.
  • Network policy blocking access to the registry.
  • Registry requires a specific authentication method (e.g., IAM role).

    • Recovery Steps

    1

    Step 1: Diagnose the Authentication Failure

    First, confirm the error is authentication-related by checking the pod events and describe output.

    bash 
    kubectl describe pod <pod-name> -n <namespace>
kubectl get events -n <namespace> --field-selector involvedObject.name=<pod-name>
    2

    Step 2: Create a Docker Registry Secret

    Create a Kubernetes Secret of type `docker-registry` using your credentials. Replace placeholders with your actual registry URL, username, and password/token.

    bash 
    kubectl create secret docker-registry regcred \
  --docker-server=<your-registry-server> \
  --docker-username=<your-name> \
  --docker-password=<your-pword> \
  --docker-email=<your-email> \
  -n <target-namespace>
    3

    Step 3: Patch the Pod's ServiceAccount

    For a cluster-wide or namespace-wide fix, attach the secret to the default ServiceAccount. This automatically injects it into all new pods.

    bash 
    kubectl patch serviceaccount default -n <namespace> -p '{"imagePullSecrets": [{"name": "regcred"}]}'
    4

    Step 4: Apply the Secret to a Specific Pod (Alternative)

    If you prefer not to modify the ServiceAccount, explicitly add the `imagePullSecrets` field to your Pod or Deployment YAML.

    yaml 
    spec:
  containers:
  - name: myapp
    image: my-registry.io/my-app:latest
  imagePullSecrets:
  - name: regcred
    5

    Step 5: Validate and Restart

    Verify the secret is correctly configured and restart the deployment to trigger a new image pull.

    bash 
    kubectl get secret regcred -n <namespace> -o yaml
kubectl rollout restart deployment/<deployment-name> -n <namespace>
    6

    Step 6: Verify Fix and Monitor

    Confirm the pod starts successfully and the ImagePullBackOff error is resolved.

    bash 
    kubectl get pods -n <namespace> -w
kubectl logs <new-pod-name> -n <namespace>

    Architect's Pro Tip

    "For AWS ECR, use `kubectl create secret docker-registry` with an IAM role's temporary credentials, or better, configure the ECR Credential Helper on your nodes for automatic, secure token renewal."

    Frequently Asked Questions

    Can I use the same secret across multiple namespaces?

    No, Secrets are namespace-scoped. You must create the secret in each namespace where it's needed, or use a tool like kubed for syncing.

    My secret exists, but pods still fail. What's next?

    Check: 1) Secret name matches the Pod spec, 2) Credentials are valid via `docker login`, 3) Network policies allow egress to the registry, 4) The node has disk space.

    Related Kubernetes Guides

    502 Bad Gateway

    How to Fix Kubernetes 502 Bad Gateway from Ingress-NGINX (K8s 1.30+)
    502 Bad Gateway

    How to Fix Kubernetes 502 Bad Gateway with Istio Service Mesh (2025)
    502 Bad Gateway

    How to Fix Kubernetes 502 Bad Gateway in Ingress (K8s 1.31+)