Advanced 3 min · March 06, 2026

Kubernetes Namespace Terminating — Finalizer Debug Strategy

Q: Why is my Pod OOMKilled even if the node has plenty of free RAM?

OOMKill (Exit Code 137) is enforced at the container level by the Cgroup, not the node level. If your container's memory usage exceeds its defined 'Limit' in the YAML, the kernel will kill the process to protect the rest of the node, regardless of how much 'free' RAM the physical machine has.

Q: What is the difference between a 'Taint' and a 'NodeSelector'?

A NodeSelector (or NodeAffinity) is a preference or requirement for a Pod to go to a specific node (the Pod wants the Node). A Taint is the opposite: it allows a Node to repel a set of Pods (the Node rejects the Pod) unless those Pods have a specific 'Toleration'.

Q: What happens if etcd goes down?

If etcd is unavailable, the cluster becomes 'read-only.' Existing workloads will continue to run, but no new Pods can be scheduled, no Deployments can be updated, and the API server will return 500 errors for any write operations. High availability for etcd (3 or 5 nodes) is critical for production clusters.

Q: How does the scheduler decide where to place a Pod?

The scheduler uses a two-phase process: Filtering (eliminates nodes that cannot run the Pod based on resource availability, taints, affinity, topology constraints) and Scoring (ranks feasible nodes by desirability using resource balance, image locality, pod spread). The highest-scoring node wins.

Q: What is the admission webhook chain and why does it matter?

Every Kubernetes write request passes through: Authentication -> Authorization -> Mutating Admission Webhooks -> Schema Validation -> Validating Admission Webhooks -> etcd. Mutating webhooks can modify objects (e.g., inject sidecars). Validating webhooks can reject objects (e.g., OPA policies). If a webhook is unavailable and has `failurePolicy: Fail`, the entire operation is rejected.

Q: How do I debug a namespace stuck in Terminating?

List all resources in the namespace and check for finalizers: `kubectl api-resources --verbs=list -o name | xargs -n 1 kubectl get -n --ignore-not-found -o json | jq '.items[] | select(.metadata.finalizers)'`. Each finalizer blocks deletion until the responsible controller acknowledges cleanup. If the controller is broken, you may need to patch the finalizer to null manually.

A missing IAM permission caused CCM to fail to remove finalizer, blocking namespace deletion for 3 days — debug this for production and interviews.

Naren · Founder

Plain-English first. Then code. Then the interview question.

About

● Production Incident 🔎 Debug Guide

⚡Quick Answer

Control Plane request lifecycle: Auth -> Mutating Webhook -> Validation -> etcd -> Controllers -> Scheduler -> Kubelet
etcd: Raft consensus, split-brain scenarios, compaction, and why disk latency kills clusters
Networking: CNI overlay vs flat networking, kube-proxy iptables vs IPVS, NetworkPolicy enforcement
Resource Management: Requests vs Limits, QoS classes, OOMKill behavior, CPU throttling
Autoscaling: HPA algorithm, stabilization windows, KEDA, HPA/VPA conflict
RBAC and Admission: Webhook chains, OPA/Gatekeeper, service account token risks

Plain-English First

Imagine a massive airport with hundreds of flights (your apps), gates (servers), ground crew (Kubernetes components), and air traffic control (the scheduler). Kubernetes is the entire airport management system — it decides which plane parks at which gate, reroutes flights when a gate breaks, and makes sure no single runway gets overloaded. When an interviewer asks about Kubernetes internals, they're asking you to explain how the airport actually runs — not just that planes land and take off.

Kubernetes has become the de facto operating system for cloud-native infrastructure. At senior and staff-level interviews, nobody is going to ask you what a Pod is. They want to know what happens inside the API server when you run kubectl apply, why your HPA isn't scaling when CPU is clearly spiking, or how etcd consistency guarantees affect your cluster's behaviour under partition.

The gap between 'I know Kubernetes' and 'I understand Kubernetes' comes down to internals. When something breaks at 3am — a node drains but Pods stay Pending, a Deployment rolls out but traffic never shifts, a namespace hangs in Terminating forever — the engineers who can diagnose and fix fast are the ones who understand the watch-loop reconciliation model, the scheduler predicates and priorities, and how the CNI interacts with kube-proxy.

This guide covers the failure modes, edge cases, and architectural decisions that surface in real senior/staff-level interviews at companies running Kubernetes at scale. Every question maps to a production incident you will eventually encounter.

The Anatomy of a Request: What Happens When You Run 'kubectl apply'?

A senior candidate must articulate the journey of a manifest from the CLI to the Kubelet. It isn't just 'the API server saves it.' The lifecycle involves Authentication/Authorization, Mutating Admission Webhooks (which might inject sidecars like Istio or Linkerd), Schema Validation, and finally, Validating Admission Webhooks (like OPA/Gatekeeper).

Once persisted in etcd, the Control Plane controllers see the state change via a watch event. The Deployment controller creates a ReplicaSet, which creates Pod objects. These Pods remain in a 'Pending' state with an empty nodeName until the Kube-Scheduler performs its two-step dance: Filtering (Predicates) to find capable nodes, and Scoring (Priorities) to find the best node. Only then does the Kubelet on the target node see the Pod and instruct the Container Runtime (CRI) to pull images and start containers.

io/thecodeforge/k8s/production-pod.yamlYAML

apiVersion: v1
kind: Pod
metadata:
  name: forge-app
  namespace: production
  labels:
    app: forge-api
    tier: backend
spec:
  containers:
  - name: forge-container
    image: io.thecodeforge/api:v1.2.0
    resources:
      requests:
        memory: "256Mi"
        cpu: "500m"
      limits:
        memory: "512Mi"
        cpu: "1"
    livenessProbe:
      httpGet:
        path: /healthz
        port: 8080
      initialDelaySeconds: 15
    readinessProbe:
      httpGet:
        path: /ready
        port: 8080
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: kubernetes.io/hostname
      whenUnsatisfiable: DoNotSchedule
      labelSelector:
        matchLabels:
          app: forge-api

Output

pod/forge-app created

The Request Lifecycle Chain

Authentication: Service account tokens, OIDC, certificates.
Authorization: RBAC, ABAC, Webhook authorizers.
Mutating Webhooks: Istio sidecar injection, default resource limits, label injection.
Validating Webhooks: OPA/Gatekeeper policies, image signature verification, namespace quotas.
etcd: Only persisted after all gates pass. The API Server is the only component that writes to etcd.

Production Insight

Mutating admission webhooks can cause cascading failures. If a webhook is unavailable (timeout or crash), the API Server cannot complete the admission chain and all create/update operations for affected resources fail. This is a common cause of 'the entire cluster stopped accepting changes' incidents. Mitigate with: failurePolicy: Ignore for non-critical webhooks, webhook HA (multiple replicas), and monitoring webhook latency. Never set failurePolicy: Fail on a webhook that is not absolutely critical.

Key Takeaway

The kubectl apply lifecycle is a chain of gates, not a single write. Each gate can fail independently. Understanding which gate failed (auth, mutating webhook, validation, etcd) is the key to debugging API Server errors.

Networking Internals: Services, Kube-Proxy, and the CNI

A Service in Kubernetes is not a process; it's a virtual IP (VIP) managed by kube-proxy. You should be prepared to explain the difference between the legacy iptables mode and the modern IPVS mode. While iptables uses sequential rule checking (O(n) complexity), IPVS uses hash tables (O(1) complexity), making it significantly more performant for clusters with thousands of services.

Furthermore, the CNI (Container Network Interface) is responsible for the 'plumbing' — assigning IPs to Pods and ensuring they can talk across nodes. If an interviewer asks why a Pod can't reach another Pod, your answer should start with the CNI overlay (Calico/Cilium) and move to NetworkPolicies, rather than just 'checking the app logs.'

io/thecodeforge/k8s/debug-network.shBASH

# TheCodeForge Network Debugging Toolkit
# Package: io.thecodeforge.k8s

# 1. Check if the Service IP is active in iptables
iptables -L -t nat | grep FORGE-SERVICE-NAME

# 2. Inspect the CNI logs on the specific node
journalctl -u kubelet | grep cni

# 3. Test Pod-to-Pod connectivity bypassing the Service VIP
kubectl exec -it debug-pod -- curl <target-pod-ip>:8080/healthz

# 4. Check kube-proxy mode and health
kubectl get configmap kube-proxy -n kube-system -o yaml | grep mode
kubectl logs -n kube-system -l k8s-app=kube-proxy | tail -50

# 5. Verify NetworkPolicy is not blocking traffic
kubectl get networkpolicy -n <namespace> -o yaml
# If policies exist, check ingress/egress rules against the Pod's labels

Output

Chain KUBE-SERVICES (2 references)

DNAT tcp -- 0.0.0.0/0 10.96.0.10 tcp dpt:53

iptables vs IPVS: The Performance Trade-off

iptables: Simple, well-understood, but O(n) rule matching. No native load balancing algorithms.
IPVS: O(1) hash matching, native LB algorithms (rr, lc, sh), but more complex debugging.
eBPF (Cilium): Bypasses both iptables and IPVS entirely. Kernel-level packet processing. The future.
kube-proxy is being replaced by eBPF-based CNIs in high-performance clusters.

Production Insight

The externalTrafficPolicy field on a Service controls how traffic from outside the cluster is routed. externalTrafficPolicy: Cluster (default) distributes traffic evenly across all nodes, then to pods. This loses the client source IP. externalTrafficPolicy: Local only routes traffic to nodes that have local pods, preserving the source IP but risking uneven load distribution if pods are not evenly spread. This is a common interview question and a common production misconfiguration.

Key Takeaway

Kubernetes networking has three layers: CNI (pod-to-pod), kube-proxy (service VIP to pod), and NetworkPolicy (traffic filtering). Debugging connectivity requires checking all three. The industry is moving from iptables to eBPF-based CNIs (Cilium) for performance and observability.

etcd Internals: Raft, Consistency, and Failure Modes

etcd is the single source of truth for all Kubernetes cluster state. It uses the Raft consensus algorithm to replicate data across an odd number of members (typically 3 or 5). Understanding Raft is essential for diagnosing cluster-wide failures.

io/thecodeforge/k8s/etcd-debug.shBASH

# etcd Diagnostic Commands
# Package: io.thecodeforge.k8s

# 1. Check cluster member health
etcdctl endpoint health --cluster --write-out=table

# 2. Check member status (leader, DB size, Raft index)
etcdctl endpoint status --write-out=table

# 3. Check for alarm conditions (e.g., NOSPACE)
etcdctl alarm list

# 4. Defragment a member (reclaims space after compaction)
etcdctl defrag --endpoints=<endpoint>

# 5. Compact old revisions (prevents unbounded DB growth)
etcdctl compact $(etcdctl endpoint status --write-out=json | jq '.[0].Status.header.revision')

# 6. Snapshot backup
etcdctl snapshot save /backup/etcd-$(date +%Y%m%d-%H%M%S).db

Output

etcd cluster diagnostics complete.

Raft Consensus: How etcd Handles Partitions

Raft leader: Elected by members. All writes go through the leader.
Heartbeat interval: Leader sends heartbeats (default 100ms). If a follower misses elections (default 1000ms), it starts a new election.
Disk latency: etcd requires fsync on every write. Slow disks cause leader elections and cluster instability.
Compaction: Old revisions accumulate. Periodic compaction and defragmentation are required to prevent unbounded growth.

Production Insight

etcd's --quota-backend-bytes (default 2GB, max 8GB) is the hard limit on the database size. If exceeded, etcd enters a maintenance mode that rejects all writes, effectively halting the cluster. Monitor etcd_mvcc_db_total_size_in_bytes and alert at 75%. Run compaction and defragmentation regularly. In large clusters with many ConfigMaps/Secrets, etcd can grow quickly. Consider externalizing large data (e.g., Helm charts) to object storage.

Key Takeaway

etcd is the cluster's single point of failure. Raft consensus prevents split-brain but requires quorum. Disk latency is the most common cause of etcd instability. Monitor, compact, defragment, and backup etcd as critical infrastructure.

Resource Management: Requests, Limits, and QoS Classes

Resource requests and limits are not just about preventing OOMKills. They define the contract between the application and the scheduler. Requests are used for scheduling decisions (can this Pod fit on this node?). Limits are enforced by the kernel cgroup (can this Pod use more than allocated?).

io/thecodeforge/k8s/resource-qos.yamlYAML

# QoS Class: Guaranteed (requests == limits for all containers)
# Highest priority during eviction. Never OOMKilled unless node is under extreme pressure.
apiVersion: v1
kind: Pod
metadata:
  name: critical-service
  namespace: production
spec:
  containers:
    - name: app
      image: io.thecodeforge/api:stable
      resources:
        requests:
          cpu: "500m"
          memory: "512Mi"
        limits:
          cpu: "500m"      # Equal to request = Guaranteed QoS
          memory: "512Mi"   # Equal to request = Guaranteed QoS
---
# QoS Class: Burstable (requests < limits)
# Medium priority. Can burst above request but may be evicted under pressure.
apiVersion: v1
kind: Pod
metadata:
  name: web-frontend
  namespace: production
spec:
  containers:
    - name: app
      image: io.thecodeforge/frontend:latest
      resources:
        requests:
          cpu: "200m"
          memory: "256Mi"
        limits:
          cpu: "1"          # Can use up to 1 CPU core
          memory: "1Gi"     # Can use up to 1Gi RAM
---
# QoS Class: BestEffort (no requests or limits set)
# Lowest priority. First to be evicted. Not recommended for production.
apiVersion: v1
kind: Pod
metadata:
  name: debug-tool
  namespace: development
spec:
  containers:
    - name: debug
      image: io.thecodeforge/debug:latest
      # No resources defined = BestEffort QoS

Output

Pods created with different QoS classes.

QoS Classes and Eviction Priority

Guaranteed: requests == limits for all containers. Highest eviction priority.
Burstable: requests < limits (or only requests set). Medium priority.
BestEffort: No requests or limits. Lowest priority. First to be evicted.
CPU throttling: If CPU limit is set, the container is throttled when it exceeds the limit. This is NOT an eviction — it is a performance penalty.
Memory OOMKill: If memory usage exceeds the limit, the kernel kills the container (OOMKill, exit code 137).

Production Insight

CPU limits cause throttling, not eviction. When a container exceeds its CPU limit, the kernel throttles it (reduces CPU time), which increases latency. For latency-sensitive services, consider removing CPU limits entirely and relying on CPU requests for scheduling. This allows the application to burst when node CPU is available, at the cost of potential noisy-neighbor effects. Monitor CPU throttling via container_cpu_cfs_throttled_periods_total in cAdvisor metrics.

Key Takeaway

Resource requests drive scheduling. Limits drive enforcement. QoS classes determine eviction order. For production, use Guaranteed QoS for critical services and Burstable for variable workloads. Never use BestEffort in production.

RBAC, Service Accounts, and Admission Control

RBAC (Role-Based Access Control) is the primary authorization mechanism in Kubernetes. It defines who (Subject) can do what (Verb) on which resources (Resource) in which scope (Namespace or Cluster). Understanding RBAC is critical for security and for debugging 'access denied' errors.

io/thecodeforge/k8s/rbac-least-privilege.yamlYAML

# Least-privilege RBAC for a microservice
# Package: io.thecodeforge.k8s

# 1. Dedicated ServiceAccount (not default)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: order-service
  namespace: production
automountServiceAccountToken: false  # Disable unless API access needed
---
# 2. Namespace-scoped Role with minimal permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: order-service-role
  namespace: production
rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["order-service-config"]  # Only specific configmap
    verbs: ["get", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["db-credentials"]  # Only specific secret
    verbs: ["get"]
---
# 3. Bind Role to ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: order-service-binding
  namespace: production
subjects:
  - kind: ServiceAccount
    name: order-service
    namespace: production
roleRef:
  kind: Role
  name: order-service-role
  apiGroup: rbac.authorization.k8s.io

Output

Least-privilege RBAC configured for order-service.

RBAC Evaluation: How Authorization Decisions Are Made

Role: Namespace-scoped. RoleBinding binds it to subjects within the namespace.
ClusterRole: Cluster-scoped. ClusterRoleBinding binds it to subjects across all namespaces.
ServiceAccount: The identity for a Pod. Default SA is mounted into every Pod unless automountServiceAccountToken: false.
Aggregated ClusterRoles: Combine multiple ClusterRoles using label selectors. Used by operators to extend permissions dynamically.

Production Insight

The default ServiceAccount in every namespace has minimal permissions, but its token is mounted into every Pod by default. If an attacker compromises a Pod, they can use this token to query the Kubernetes API. In many clusters, the default SA has been granted additional permissions over time, expanding the blast radius. Mitigate by: setting automountServiceAccountToken: false as the namespace default, creating dedicated ServiceAccounts per workload, and auditing ClusterRoleBindings regularly with kubectl auth can-i --list --as=system:serviceaccount:<ns>:<sa>.

Key Takeaway

RBAC is additive with no deny mechanism. Least-privilege design is the only defense. Disable automounting, use dedicated ServiceAccounts, and audit permissions regularly. For deny-based policies, layer OPA/Gatekeeper on top of RBAC.

Scheduler Internals: Filtering, Scoring, and Custom Schedulers

The Kubernetes scheduler is a control loop that watches for Pods with an empty nodeName and assigns them to nodes. It does not actually run Pods — it only sets the nodeName field, and the kubelet on that node picks up the Pod. The scheduler's decision process has two phases: Filtering (formerly Predicates) and Scoring (formerly Priorities).

io/thecodeforge/k8s/scheduling/SchedulerDecisionModel.javaJAVA

// Simplified scheduler decision model
// Package: io.thecodeforge.k8s.scheduling
package io.thecodeforge.k8s.scheduling;

import java.util.List;
import java.util.Map;

public class SchedulerDecisionModel {

    /**
     * Phase 1: Filtering — Eliminate nodes that cannot run the Pod.
     * Filters are applied in order. If no nodes pass, the Pod stays Pending.
     */
    public List<String> filterNodes(List<String> allNodes, Pod pod) {
        return allNodes.stream()
            .filter(node -> hasEnoughResources(node, pod))     // NodeResourcesFit
            .filter(node -> matchesNodeAffinity(node, pod))    // NodeAffinity
            .filter(node -> toleratesTaints(node, pod))        // TaintToleration
            .filter(node -> matchesPodTopology(node, pod))     // PodTopologySpread
            .filter(node -> hasVolumeCapacity(node, pod))      // VolumeBinding
            .toList();
    }

    /**
     * Phase 2: Scoring — Rank feasible nodes by desirability.
     * Each scoring plugin assigns 0-100 points. Scores are summed.
     * The node with the highest total score wins.
     */
    public Map<String, Integer> scoreNodes(List<String> feasibleNodes, Pod pod) {
        // Simplified: In reality, each plugin scores independently
        return feasibleNodes.stream()
            .collect(java.util.stream.Collectors.toMap(
                node -> node,
                node -> scoreResourceBalancing(node, pod)    // NodeResourcesBalancedAllocation
                      + scorePodSpread(node, pod)             // PodTopologySpread
                      + scoreInterPodAffinity(node, pod)      // InterPodAffinity
                      + scoreImageLocality(node, pod)         // ImageLocality
            ));
    }

    private boolean hasEnoughResources(String node, Pod pod) { return true; }
    private boolean matchesNodeAffinity(String node, Pod pod) { return true; }
    private boolean toleratesTaints(String node, Pod pod) { return true; }
    private boolean matchesPodTopology(String node, Pod pod) { return true; }
    private boolean hasVolumeCapacity(String node, Pod pod) { return true; }
    private int scoreResourceBalancing(String node, Pod pod) { return 50; }
    private int scorePodSpread(String node, Pod pod) { return 50; }
    private int scoreInterPodAffinity(String node, Pod pod) { return 50; }
    private int scoreImageLocality(String node, Pod pod) { return 50; }
}

Output

Scheduler decision model: filter then score.

Filtering vs Scoring: The Two-Phase Dance

NodeResourcesFit: Checks if the node has enough CPU/memory for the Pod's requests.
NodeAffinity: Matches nodeSelector and nodeAffinity rules.
TaintToleration: Ensures the Pod tolerates all taints on the node.
PodTopologySpread: Enforces topology spread constraints (zone, hostname).
VolumeBinding: Ensures required PVs can be bound on the node.
ImageLocality: Prefers nodes that already have the container image cached.

Production Insight

The scheduler's scoring phase includes an ImageLocality scorer that prefers nodes with pre-pulled images. This can cause scheduling skew: nodes that have run a Pod before score higher for the same Pod, leading to uneven distribution. To counter this, use topologySpreadConstraints or podAntiAffinity to force spread. Also, the scheduler's --percentage-of-nodes-to-score flag (default 50%) limits scoring to a subset of feasible nodes for performance. In small clusters, set this to 100% to ensure optimal placement.

Key Takeaway

The scheduler is a filter-then-score pipeline. Pending Pods always have a reason — check the events. Custom scheduling can be achieved via scheduler plugins or a second scheduler. Image locality scoring can cause unexpected skew.

Probes Deep Dive: Liveness, Readiness, and Startup

Probes are the kubelet's mechanism for monitoring container health. Misconfigured probes are one of the most common causes of production incidents: liveness probes that kill healthy-but-slow containers, readiness probes that flap during cache warm-up, and missing startup probes that cause crash loops on legacy applications.

io/thecodeforge/k8s/probes-production.yamlYAML

# Production-grade probe configuration
# Package: io.thecodeforge.k8s
apiVersion: v1
kind: Pod
metadata:
  name: api-server
  namespace: production
spec:
  containers:
    - name: api
      image: io.thecodeforge/api:3.0.0
      # Startup probe: Gates liveness/readiness until app boots
      # Critical for apps with slow startup (>30s)
      startupProbe:
        httpGet:
          path: /healthz
          port: 8080
        initialDelaySeconds: 5
        periodSeconds: 5
        failureThreshold: 30    # 30 * 5s = 150s max startup time
        successThreshold: 1
      # Liveness probe: Detects deadlocks and hung processes
      # Only active after startup probe succeeds
      livenessProbe:
        httpGet:
          path: /healthz
          port: 8080
        periodSeconds: 10
        failureThreshold: 3     # 3 failures = restart after 30s
        successThreshold: 1
        timeoutSeconds: 5
      # Readiness probe: Controls traffic routing
      # Failing = removed from Service endpoints
      readinessProbe:
        httpGet:
          path: /ready
          port: 8080
        periodSeconds: 5
        failureThreshold: 2     # 2 failures = remove from endpoints after 10s
        successThreshold: 1     # 1 success = add back to endpoints
        timeoutSeconds: 3
      resources:
        requests:
          cpu: "500m"
          memory: "512Mi"

Output

Pod created with production-grade probe configuration.

Probe Interaction: The Startup Gate

Startup probe: Only runs during boot. Gates liveness/readiness.
Liveness probe: Runs continuously. Failure = container restart.
Readiness probe: Runs continuously. Failure = remove from Service endpoints.
Probe types: httpGet, tcpSocket, exec (command).
timeoutSeconds: Must be less than periodSeconds, or the probe is always considered failed.

Production Insight

Liveness probes that check downstream dependencies (database, cache) cause cascading failures. If the database is slow, the liveness probe fails, the container restarts, and the restart increases load on the database, causing more liveness failures. The fix: liveness probes should check ONLY the application's internal health (is the process responsive?). Readiness probes can check dependencies (is the application ready to serve traffic?). This separation prevents dependency failures from causing container restarts.

Key Takeaway

Use startup probes for slow-booting applications. Liveness probes check internal health only. Readiness probes can check dependencies. Never let a liveness probe check downstream services — it causes cascading restart storms.

● Production incidentPOST-MORTEMseverity: high

Namespace Stuck in Terminating: Finalizer Blocking Cluster Decommission

Symptom

kubectl delete namespace <ns> returned successfully but namespace remained in Terminating state. No new resources could be created in the namespace. Cluster decommission timeline slipped by 3 days.

Assumption

The namespace deletion was stuck due to remaining resources (Pods, PVCs) that had not been fully cleaned up.

Root cause

The Service of type LoadBalancer had a finalizer (service.kubernetes.io/load-balancer-cleanup). The cloud controller manager (CCM) was responsible for removing this finalizer after deleting the cloud load balancer. However, the CCM had been redeployed with a new service account that lacked IAM permissions to delete load balancers. The CCM silently failed to remove the finalizer, and Kubernetes refused to complete namespace deletion because finalizers were still present on resources within the namespace.

Fix

1. Restored IAM permissions for the CCM service account to manage load balancers. 2. Patched the Service to remove the finalizer manually: kubectl patch service <name> -p '{"metadata":{"finalizers":null}}'. 3. Verified the cloud load balancer was already deleted (no orphaned resources). 4. Namespace deletion completed immediately after finalizer removal. 5. Added monitoring for namespaces in Terminating state for more than 5 minutes.

Key lesson

Finalizers block deletion until the responsible controller acknowledges cleanup. If the controller is broken, deletion hangs indefinitely.
Never manually delete cloud resources (load balancers, volumes) without ensuring the controller can reconcile. Orphaned resources cost money.
Monitor for resources stuck in Terminating state. It is always a sign of a broken controller or missing permissions.
When debugging Terminating hangs, check kubectl get <resource> -o json | jq .metadata.finalizers to identify which controller is blocking.

Production debug guideSymptom-first investigation path for senior-level Kubernetes failures.6 entries

Symptom · 01

Pod stuck in Pending with no events.

→

Fix

Check if the scheduler is running and healthy. Verify node resources are sufficient. Check for taints/tolerations mismatches. Look for PVC binding failures if the Pod uses persistent volumes.

Symptom · 02

Pod stuck in ImagePullBackOff despite image existing.

→

Fix

Check ImagePullSecrets on the Pod's ServiceAccount. Verify node IAM roles for private registries. Check disk pressure on the node. Inspect kubelet logs for the actual pull error.

Symptom · 03

Namespace stuck in Terminating.

→

Fix

List all resources in the namespace with finalizers:

kubectl api-resources --verbs=list -o name | xargs -n 1 kubectl get -n <ns> --ignore-not-found -o json | jq '.items[] | select(.metadata.finalizers) | {kind: .kind, name: .metadata.name, finalizers: .metadata.finalizers}'

. Patch or investigate each blocking resource.

Symptom · 04

Service returns 503 intermittently.

→

Fix

Check readiness probes. Pods failing readiness are removed from endpoints but existing connections may still be routed. Check externalTrafficPolicy — if set to Local, traffic only routes to nodes with local pods. Check kube-proxy mode and logs.

Symptom · 05

Deployment rollout hangs at 'Waiting for rollout'.

→

Fix

Check kubectl rollout status deployment/<name>. If maxUnavailable is 0 and a new pod cannot be scheduled, the rollout blocks forever. Check for resource quota limits, PDB conflicts, and node capacity.

Symptom · 06

etcd cluster unhealthy, leader elections failing.

→

Fix

Check etcd member health: etcdctl endpoint health --cluster. Check disk latency on etcd nodes (iostat -x 1). High fsync latency causes Raft timeouts. Check network connectivity between etcd members.

★ Advanced Kubernetes Triage CommandsRapid commands for diagnosing complex Kubernetes failures.

Pod stuck in Pending.−

Immediate action

Check scheduler events and node capacity.

Commands

kubectl describe pod <pod> | grep -A 20 Events

kubectl describe nodes | grep -A 5 Allocatable -B 2

Fix now

If 'Insufficient cpu/memory', scale cluster or reduce requests. If 'node(s) had taint', add tolerations or remove taints.

Namespace stuck in Terminating.+

Service returning 503.+

etcd cluster degraded.+

RBAC permission denied errors in application logs.+

Probe Types: Liveness vs Readiness vs Startup

Aspect	Liveness Probe	Readiness Probe	Startup Probe
Primary Goal	Detect deadlocks and hung processes	Control traffic routing to the Pod	Gate liveness/readiness until boot completes
Failure Action	Kubelet kills the container; triggers restart	Pod removed from Service endpoints; no traffic	If it fails, container is restarted like liveness
Success Action	Container continues running	Pod added to Service endpoints; receives traffic	Liveness and readiness probes are activated
Runs When	After startup probe succeeds (or immediately if no startup probe)	After startup probe succeeds (or immediately if no startup probe)	Immediately when container starts
Typical Use Case	Catching deadlocks, memory leaks, infinite loops	Waiting for cache warm-up, DB connection pool init	Legacy apps with 2+ minute startup times
Failure Threshold	3 (default) — restart after 3 failures	3 (default) — remove from endpoints after 3 failures	30 (recommended) — allows up to 150s startup with 5s period
Common Mistake	Checking downstream dependencies (DB, cache) — causes cascading restarts	Too aggressive — causes endpoint flapping during transient load	Missing entirely — causes CrashLoopBackOff for slow-starting apps

Key takeaways

Kubernetes is a state-reconciliation engine; controllers constantly work to drive 'Current State' toward the 'Desired State' stored in etcd.

The Control Plane request flow (Auth -> Mutating -> Validating -> Etcd) is the gatekeeper of cluster stability.

Resource management isn't just about avoiding OOMKills; it's about defining 'Requests' accurately so the Scheduler can make intelligent placement decisions.

Networking in K8s relies on a combination of the CNI (Pod-to-Pod) and kube-proxy (Service abstraction) to handle the ephemeral nature of IPs.

etcd is the single point of failure. Raft consensus prevents split-brain but requires quorum. Disk latency is the most common cause of instability.

RBAC is additive with no deny mechanism. Least-privilege design, dedicated ServiceAccounts, and admission webhooks for policy enforcement are the production standard.

Probes are the difference between a resilient service and a cascading failure. Liveness checks internal health only. Readiness can check dependencies. Startup gates both.

Every production Kubernetes failure has a root cause in one of

etcd, scheduler, kubelet, CNI, or admission webhooks. Knowing which component to check first is the skill.

INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

FAQ · 6 QUESTIONS

Frequently Asked Questions

Why is my Pod OOMKilled even if the node has plenty of free RAM?

What is the difference between a 'Taint' and a 'NodeSelector'?

What happens if etcd goes down?

How does the scheduler decide where to place a Pod?

What is the admission webhook chain and why does it matter?

How do I debug a namespace stuck in Terminating?

🔥

That's DevOps Interview. Mark it forged?

3 min read · try the examples if you haven't