cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Troubleshoot Kubernetes ErrorImagePullBackOff

echwallah
Helper

 

ImagePullBackoff error on OneAgent and ActiveGate pods

The underlying host's container runtime doesn't contain the certificate presented by your endpoint.

Note: The skipCertCheck field in the DynaKube YAML does not control this certificate check.

Example error (the error message may vary):

 

copydownload
desc = failed to pull and unpack image "<environment>/linux/activegate:latest": failed to resolve reference "<environment>/linux/activegate:latest": failed to do request: Head "<environment>/linux/activegate/manifests/latest": x509: certificate signed by unknown authority
Warning Failed ... Error: ErrImagePull
Normal BackOff ... Back-off pulling image "<environment>/linux/activegate:latest"
Warning Failed ... Error: ImagePullBackOff

In this example, if the description on your pod shows x509: certificate signed by unknown authority, you must fix the certificates on your Kubernetes hosts, or use the private repository configuration to store the images.

The documentation does not explicitly describe how to fix the Certificates on Kubernetes Hosts but just mention they need to be fixed.

Does anyone have a stepwise guide on how to fix this by resolving the certificate issue

Dynatrace Certified Associate
2 REPLIES 2

shahinm
Dynatrace Enthusiast
Dynatrace Enthusiast

The documentation does not describe the fix because 1) it is not Dynatrace product-related issue, 2) each environment has security requirements and technology dependency. The issue occurs because your container runtime client, which is responsible for pulling images from an image repository, does not trust the cert provided by that resource.

To solve this certificate issue, you need to add the certificate of the private image repository to the trusted CA (Certificate Authority) of your Kubernetes/Openshift cluster.

CosmicDu5t
Newcomer

I had a similar issue and resolved it by putting the Certificate Authority certificate in a file called ca.crt under /etc/docker/certs.d/<environment URL:port>