Kubernetes

How to Fix Kubernetes ImagePullBackOff

Resolve Kubernetes image pull failures by checking image names, tags, registry authentication, node connectivity, and architecture compatibility.

Updated 2026-07-122 min read

ImagePullBackOff means Kubernetes failed to download a container image and is delaying the next attempt. The pod event normally distinguishes a missing image, authentication failure, network problem, rate limit, or incompatible manifest.

Read the pull event

kubectl describe pod POD -n NAMESPACE
kubectl get events -n NAMESPACE --sort-by=.lastTimestamp

Look for messages such as not found, pull access denied, unauthorized, i/o timeout, too many requests, or no matching manifest.

Verify the exact image reference

kubectl get pod POD -n NAMESPACE -o jsonpath='{.spec.containers[*].image}'

Confirm the registry hostname, repository path, tag, and digest. Avoid relying on mutable latest tags for production releases.

Inspect registry credentials

List the referenced pull secrets without printing their contents:

kubectl get pod POD -n NAMESPACE -o jsonpath='{.spec.imagePullSecrets[*].name}'
kubectl get serviceaccount default -n NAMESPACE -o yaml

Confirm that the Secret exists in the same namespace and uses type kubernetes.io/dockerconfigjson. Do not decode registry credentials into shared terminal logs.

Check node-specific failures

If only some pods fail, identify their nodes:

kubectl get pods -n NAMESPACE -o wide
kubectl describe node NODE

The node may lack registry DNS, proxy configuration, disk space, trusted certificates, or the CPU architecture required by the image.

Diagnose it with Rumus

AI-native terminal Commands require your approval
Why use Rumus for this diagnosis?

Rumus is an AI-native terminal that can use your current Kubernetes context to correlate pods, events, logs, controllers, resources, and nodes. It keeps the investigation read-only until you approve a proposed change.

What Rumus can inspect

  • Pods, events, previous logs, and owning controllers
  • Resources, probes, scheduling rules, and node state
  • Secret-aware output and approval before cluster changes
Download Rumus
Diagnose this ImagePullBackOff. Inspect pod events, exact image references, pull
secret names and types, service account configuration, affected nodes, registry
reachability, rate limits, and image architecture. Never print or decode secret
values, and do not modify the workload without approval.

Confirm the fix

Watch the pod after correcting the image or authentication configuration:

kubectl get pods -n NAMESPACE -w
kubectl describe pod POD -n NAMESPACE

The container should move through Pulling and Pulled to Created and Started without another backoff event.

Diagnose the real environment

Open the server in Rumus and let the AI agent inspect context, propose a plan, and ask before it runs changes.

Download Rumus