Showing results for 
Show  only  | Search instead for 
Did you mean: 

Troubleshoot Kubernetes ErrorImagePullBackOff



ImagePullBackoff error on OneAgent and ActiveGate pods

The underlying host's container runtime doesn't contain the certificate presented by your endpoint.

Note: The skipCertCheck field in the DynaKube YAML does not control this certificate check.

Example error (the error message may vary):


desc = failed to pull and unpack image "<environment>/linux/activegate:latest": failed to resolve reference "<environment>/linux/activegate:latest": failed to do request: Head "<environment>/linux/activegate/manifests/latest": x509: certificate signed by unknown authority
Warning Failed ... Error: ErrImagePull
Normal BackOff ... Back-off pulling image "<environment>/linux/activegate:latest"
Warning Failed ... Error: ImagePullBackOff

In this example, if the description on your pod shows x509: certificate signed by unknown authority, you must fix the certificates on your Kubernetes hosts, or use the private repository configuration to store the images.

The documentation does not explicitly describe how to fix the Certificates on Kubernetes Hosts but just mention they need to be fixed.

Does anyone have a stepwise guide on how to fix this by resolving the certificate issue

Dynatrace Certified Associate

Dynatrace Guide
Dynatrace Guide

The documentation does not describe the fix because 1) it is not Dynatrace product-related issue, 2) each environment has security requirements and technology dependency. The issue occurs because your container runtime client, which is responsible for pulling images from an image repository, does not trust the cert provided by that resource.

To solve this certificate issue, you need to add the certificate of the private image repository to the trusted CA (Certificate Authority) of your Kubernetes/Openshift cluster.


I had a similar issue and resolved it by putting the Certificate Authority certificate in a file called ca.crt under /etc/docker/certs.d/<environment URL:port>


We are having the same issue in Openshift 4.x. We confirmed the skip auth is set to true in the yaml. Per your solution, I have the ca.cert but I don't know where do I place this ca.cert bundle from the openshift end to get this resolved?

I believe this is what you are looking for and look for additionalTrustedCA 

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

Featured Posts