Troubleshooting Guide
Common Issues
Installation Failures
Check API server health:
Bash # Test API server health
-k https://api.demo.k8s.local:6443/healthz
# Verify API server version
-k https://api.demo.k8s.local:6443/version
Check node and machine status:
Bash get nodes
get machines
describe node <node-name>
Review events:
Bash get events --sort-by= '.metadata.creationTimestamp'
Examine operator status:
Bash get clusteroperators
describe co <operator-name>
Check machine configuration:
Bash get pods -n openshift-machine-config-operator
logs -n openshift-machine-config-operator -l k8s-app= machine-config-server
Check installation logs:
Bash gather bootstrap --dir /root/cluster
Network Issues
Verify DNS resolution:
Bash # Check API server resolution
api.demo.k8s.local +short
# Check internal API server resolution
api-int.demo.k8s.local +short
# Check application wildcard DNS
*.apps.demo.k8s.local +short
Check pod networking:
Bash get pods -n openshift-sdn
logs -n openshift-sdn -l app = sdn
get network.config.openshift.io cluster -o yaml
Review service endpoints:
Bash get endpoints -A
get svc -A
Test network connectivity:
Bash debug node/<node-name> -- chroot /host ip addr show
debug node/<node-name> -- chroot /host ping <target-ip>
Resource Constraints
Check resource usage:
Bash adm top nodes
adm top pods --containers= true --all-namespaces
Review quota usage:
Bash get resourcequota -A
describe quota -n <namespace>
Monitor storage:
Bash get pv,pvc --all-namespaces
get volumeattachment
Certificate Issues
Check certificate status:
Bash get csr
get secret -n openshift-config
Review certificate expiration:
Bash get secret -n openshift-kube-apiserver-operator kube-apiserver-to-kubelet-signer -o jsonpath = '{.metadata.annotations.auth\.openshift\.io/certificate-not-after}'
Verify API server certificates:
Bash get apiserver cluster -o yaml
Authentication and Authorization
Check identity provider configuration:
Bash get oauth cluster -o yaml
get identity
Review role bindings:
Bash get clusterrolebinding
get rolebinding --all-namespaces
Registry Issues
Check registry status:
Bash get pods -n openshift-image-registry
get configs.imageregistry.operator.openshift.io cluster -o yaml
Review storage configuration:
Bash get pvc -n openshift-image-registry
describe pvc -n openshift-image-registry
Collecting Diagnostics
Gather must-gather data:
Bash # General cluster data
adm must-gather
# Specific component data
adm must-gather --image= registry.redhat.io/rhacm2/acm-must-gather-rhel8:v2.8
Review cluster logs:
Bash # Control plane logs
logs -n openshift-controller-manager deployment/controller-manager
# Node logs
adm node-logs <node-name> -u kubelet
# Specific pod logs
logs -n <namespace> <pod-name> --previous
Export cluster state:
Bash # Full cluster state
get all -A -o yaml > cluster-state.yaml
# Specific component state
get nodes -o yaml > nodes-state.yaml
get co -o yaml > operators-state.yaml
Check etcd health:
Bash rsh -n openshift-etcd etcd-<control-plane-node> etcdctl endpoint health
rsh -n openshift-etcd etcd-<control-plane-node> etcdctl endpoint status -w table
Monitor API server metrics:
Bash get --raw /metrics | grep apiserver_request_duration_seconds
DRP -Specific Troubleshooting
Check DRP machine status:
Bash machines show <machine-uuid>
Examine task execution:
Bash tasks status <task-uuid>
tasks logs <task-uuid>
API Health Verification
Test API server health:
Bash # Test API server health directly
-k https://api.demo.k8s.local:6443/healthz
# Get API server version
-k https://api.demo.k8s.local:6443/version
Best Practices
Maintain cluster documentation including:
Network configuration
Storage layout
Authentication setup
Custom configurations
Implement systematic log collection and retention
Create and maintain runbooks for common issues
Document configuration changes and their rationale
Establish clear escalation paths for different types of issues
openshift
troubleshooting
debugging
diagnostics