Grading Checklist

• Identifies that the image pull secret contains expired/old credentials after rotation.
• Checks pod events for the specific unauthorized error message.
• Inspects the imagePullSecrets field in the pod spec or service account.
• Decodes the secret to verify the stored credentials: kubectl get secret <name> -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d.
• Creates or updates the secret with new credentials using kubectl create secret docker-registry.
• Notes that the secret must be in the same namespace as the pod.
• Mentions the option of attaching imagePullSecrets to the default service account for namespace-wide effect.
• Recommends automating secret rotation to stay in sync with credential rotation.
• Distinguishes between ErrImagePull (first attempt) and ImagePullBackOff (backing off after repeated failures).
• Suggests testing credentials with docker login or crane auth login before updating the secret.
• Notes that existing running pods are unaffected since the image is already pulled; only new pods fail.