Articles

Fix Kubernetes Back-Off Pulling Image Warnings (2026)

April 18, 2026 5 min read

The ImagePullBackOff error means the kubelet on your node is repeatedly failing to pull the container image your pod needs, and it’s giving up for a while before trying again. This isn’t just a transient network blip; it’s a persistent failure that stops your pod from starting.

Image Registry Authentication Failure

The most common reason is that your Kubernetes cluster can’t authenticate with the container image registry. This happens when the imagePullSecrets in your pod spec are missing, incorrect, or the credentials within them have expired or changed.

Diagnosis: Check your pod’s events for ErrImagePull or ImagePullBackOff. Then, inspect the pod definition:

kubectl describe pod <pod-name> -n <namespace>

Look for the Events section. If you see messages like "failed to pull image … authentication required" or "unauthorized," this is your culprit. Also, verify the imagePullSecrets listed under the pod’s spec.

Fix: Ensure you have a Kubernetes Secret of type kubernetes.io/dockerconfigjson containing valid registry credentials. If you don’t, create one:

kubectl create secret docker-registry my-registry-secret \
  --docker-server=<your-registry-server> \
  --docker-username=<your-username> \
  --docker-password=<your-password> \
  --docker-email=<your-email> \
  -n <namespace>

Then, add this secret to your pod’s service account or directly to the pod spec:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-container
    image: <your-registry>/<your-image>:<tag>
  imagePullSecrets:
  - name: my-registry-secret

This works because the kubelet uses the credentials in the specified secret to authenticate with the registry when pulling the image.

Incorrect Image Name or Tag

A simple typo in the image name or an invalid tag will cause the registry to report the image as not found.

Diagnosis: Again, kubectl describe pod <pod-name> -n <namespace> is your friend. Look for messages like "manifest unknown" or "image not found." Double-check the exact spelling and case of your image name and tag against what’s actually in the registry.

Fix: Correct the image: field in your pod or deployment YAML to match the exact image name and tag available in your registry. For example, change my-app:latest to my-app:v1.2.3 if latest doesn’t exist or is not what you intended. This fix directly addresses the reference to a non-existent resource.

Registry Unreachable or Down

The container registry itself might be temporarily unavailable, or there might be a network issue preventing your Kubernetes nodes from reaching it.

Diagnosis: From one of your Kubernetes nodes (you can exec into a pod and then chroot or SSH into the node if possible), try to pull the image manually:

docker pull <your-registry>/<your-image>:<tag>

If this fails with network errors or timeouts, the problem is likely external to Kubernetes. Check your node’s network connectivity, firewall rules, and the status of the image registry.

Fix: Resolve the network connectivity issue. This could involve:

  • Firewall Rules: Ensure your node’s firewall (e.g., iptables, ufw) or cloud provider security groups allow egress traffic to the registry’s IP address and port (usually 443 for HTTPS).
  • DNS Resolution: Verify that your nodes can resolve the registry’s hostname. Run nslookup <your-registry-server> from a node. If it fails, check your node’s DNS configuration (/etc/resolv.conf).
  • Registry Status: Check the status page of your container registry provider for any ongoing incidents. This fixes the issue by restoring the communication path required for image retrieval.

Insufficient Disk Space on Node

If the node where the pod is scheduled doesn’t have enough free disk space to download the image layers, the pull will fail.

Diagnosis: SSH into the node where the pod is attempting to run (check kubectl get pod <pod-name> -o wide to find the node). Run df -h to check available disk space, paying attention to the partition used by Docker or containerd (often /var/lib/docker or /var/lib/containerd).

Fix:

  • Clean Up Old Images/Containers: Run docker image prune -a or docker container prune (or their containerd equivalents) on the node to remove unused images and containers.
  • Increase Disk Size: If the node’s disk is consistently full, you may need to resize the node’s root volume or add more persistent storage. This provides the necessary space for the image layers to be written to disk.

Rate Limiting by the Registry

Public container registries (like Docker Hub) often impose rate limits on how many images can be pulled within a certain time frame, especially for unauthenticated users.

Diagnosis: The kubectl describe pod output might show messages related to rate limiting, or the manual docker pull from the node might return 429 Too Many Requests.

Fix:

  • Authenticate: If you’re pulling from a public registry like Docker Hub, log in using docker login on your nodes or configure imagePullSecrets with an account that has higher pull limits.
  • Use a Mirror/Proxy: Set up a local registry mirror or a caching proxy.
  • Reduce Pull Frequency: If possible, avoid frequent redeployments of the same image or use tags other than latest to prevent unnecessary pulls. This bypasses or satisfies the registry’s limits, allowing the pull to succeed.

Corrupted Image Cache on Node

Occasionally, the local Docker or container runtime cache on a node can become corrupted, leading to pull failures even if the image exists in the registry and credentials are valid.

Diagnosis: This is harder to diagnose directly from Kubernetes events. If all other causes are ruled out, try manually removing the image from the node’s local cache and re-pulling:

# On the node
docker rmi <your-registry>/<your-image>:<tag>
docker pull <your-registry>/<your-image>:<tag>

If the manual pull now succeeds, the local cache was likely the issue.

Fix: Remove the problematic image from the node’s local image cache using docker rmi <image-id> or docker image rm <image-name>:<tag>. Then, let Kubernetes re-attempt the pull. In more severe cases, restarting the container runtime (Docker daemon, containerd) on the node might help. This forces a fresh download of the image.

After fixing ImagePullBackOff, your next immediate challenge will likely be CrashLoopBackOff if the container starts but immediately exits due to an application error.

Want structured learning?

Take the full Kubernetes course →