Skip to content

Diagnostic Questions

Before revealing the investigation path:

  1. The deployment shows ImagePullBackOff with "authentication required," but other services deploy fine from the same registry. What would you check first — the imagePullSecret, the ServiceAccount, or the registry?

  2. You decode the imagePullSecret and find the password starts with hvs. — a Vault token prefix. The secret is 47 days old. What does this tell you about the credential lifecycle? What system should be refreshing it?

  3. The External Secrets Operator shows SecretSyncedError with "403 permission denied" from Vault. How do you determine whether the issue is the Vault policy, the Vault token, or the Vault role binding?

  4. The Vault policy was accidentally deleted during a cleanup. Why is the correct fix to restore the policy and update the IaC (devops tooling) rather than just recreating the Kubernetes Secret with fresh credentials (kubernetes) or manually rotating the Vault credentials (security)?

  5. What guardrails would prevent a Vault policy cleanup from breaking production secret synchronization? Consider both Vault-side protections and Kubernetes-side monitoring.